Protecting Mobile Banking Apps against the Recent PayPal Android Trojan and Android Accessibility Abuse

OneSpan Team,

Android’s accessibility services make it easier for people to interact with Android apps or devices without the traditional user interface. Unfortunately, attackers can abuse those same helpful features to defraud users and financial institutions (FIs), such as in the case of a PayPal Android Trojan capable of stealing $1,000 from users in a matter of seconds despite the app’s use of two-factor authentication (2FA). Fortunately, a layered approach to authentication and mobile app security can protect your app against these types of attacks.

Examples of the advantages provided by Android accessibility services include allowing someone with low vision to control an app or device with their voice or someone with limited dexterity to use an external “switch” hardware device to navigate through an app without having to swipe and press small buttons with their finger. Activating Android accessibility features, however, empowers an app to interact with other apps on the device without traditional user intervention – and can have ramifications that the typical user isn’t aware of.

Late last year, researchers discovered state-of-the-art mobile malware capable of bleeding Android users’ PayPal accounts dry in the blink of an eye. This is one of the most sophisticated examples of mobile malware the world has ever seen. Run-of-the-mill app security alone can’t compete with these more advanced attacks, and in this case, not even two-factor authentication could stop it.

Paypal Android Trojan: What Happened?

The malware, published on a third-party app store, posed as a battery optimization app—called Optimization Android—but provided no such functionality. After a user downloaded the app from a third-party app store and launched it, the malware immediately shut down and hid its icon from view. Next, the malware asked the user to enable an accessibility service on the device called “Enable statistics.”

From there, the malware identified whether PayPal was installed on the device, and if so, it urgently prompted the user with a notification to “Confirm your account immediately.” Once the user clicked the notification, the official PayPal app launched. The malware circumvented the app’s 2FA by lying in wait as the user logged-in. Once the user had entered the security code received via SMS, the malware pounced.

Abusing the accessibility service, the app mimics the user by automatically clicking buttons and entering text within the PayPal interface to send $1,000 or €1,000 to the attacker’s account in less than four seconds. Because the malware acts so quickly in submitting the transaction, there’s really no time for the user to intervene.

The malware also included more familiar mobile banking Trojan capabilities, such as presenting users with overlay screens that phish for credentials or payment card details. But, malware that automates user actions, targets a real-time payments app, and is capable of defrauding users in seconds has not really been seen before. Worse yet, it could be a signal of what is to come.

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Learn how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

Evolving Mobile Threats and Real-time Payments

A New York Times article published earlier this year told multiple stories of consumers falling victim to fraud schemes that leveraged Zelle as a payment channel. Fraudsters mostly succeeded in these cases due to social engineering techniques rather than through any security weaknesses inherent in the Zelle platform.

A partner at PwC quoted in the article said she knew of one bank that experienced a 90% fraud rate on Zelle transactions. She also went on to say that many banks implement Zelle without adequate protections, such as 2FA or user-behavior monitoring. PwC later issued a correction stating that the 90% statistic was unsubstantiated and that most banks have strong authentication controls in place.

In the recent attack targeting PayPal for Android, two-factor authentication did nothing to mitigate the fraud. The malware circumvented it simply by waiting it out. Not all users will be security savvy, as illustrated by the Zelle fraud case. FIs need to provide more help and protection in this battle against cybercriminals, because their users are up against a formidable opponent.

Users Deserve More Security Support in an Increasingly Hostile Threat Landscape

Users have it tough enough already. The mobile ecosystem is a wild west with numerous issues, including vulnerable devices that users are unable to update and malicious apps distributed on and off official app stores. Developers may or may not have time to ensure their apps handle users’ data in a secure fashion. There’s no telling what the security status of a mobile user’s device might be — especially with malware continuing to mature and becoming increasingly clandestine.

However, there is hope. Financial institutions need to counter these methods with equal innovation. Now is the time for financial institutions to adopt advanced security technologies, such as mobile app shielding, intelligent adaptive authentication, and behavioral biometrics, to reduce fraud in the mobile channel and protect users from themselves. Best of all, these technologies protect customers and FIs from fraud without unnecessarily encumbering the user experience.

How to Protect Against Mobile Banking Trojans that Abuse Android Accessibility Services

The Paypal Android Trojan was able to exploit the PayPal app because of a simple assumption. After the user is authenticated, the app assumes that it is running in a safe environment. That’s obviously incorrect. Continuous monitoring of the user session is necessary to continuously protect the mobile app’s runtime.

The PayPal Android Trojan monitored processes running on the app. If it recognized the PayPal process, it went to work. App shielding would have intelligently rendered the name of the PayPal process unrecognizable, so that the PayPal app was essentially hidden from the malware. This would have proactively protected against the attack, even on a compromised device.

Once the money transfer was initiated, the fact that it was a payment to a newly added recipient and at a relatively high value would have been recognized by Intelligent Adaptive Authentication (IAA). IAA would have prompted the user for additional authentication to confirm and/or sign the transaction. With that control in place, the user would have had the opportunity to stop the transaction.

Finally, if behavioral biometrics were integrated into the app, the technology would have flagged the automated interactions as not human, no matter the speed, and stopped the fraudulent transaction from executing. Behavioral biometrics capture the way a user typically uses their device over a period of time (e.g., how they type, the angle at which they typically hold their device) and define a user profile based on an algorithm. If the interactions taking place on the phone don’t match the profile, the app would stop the operation or ask for additional authentication measures.

Best of all, both app shielding and behavioral biometrics are discreet security safeguards that don’t interrupt the customer experience unless something has gone awry. Essentially, these are invisible security measures, and they’re available and in use by some forward-thinking FIs today.

It’s high time financial institutions match the increasingly sophisticated mobile threats with sophisticated mobile app security. FIs need security capable of protecting users and defending apps in untrusted and potentially hostile environments.

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.