A spam campaign is targeting German Andoird users, the malicious emails impersonate PayPal trying to trick the recipient into downloading a bogus PayPal app update that hides a banking Trojan.
“Mobile banking is now used by more and more users, so it shouldn’t be a surprise to see banking Trojans trying to hit these users as well. We’ve seen spammed mails that pretend to be an update notification for an official PayPal app. These mails ask the user to click on a link to download the update; users in Germany appear to be the target of this spam run based on the language used.” states a blog post published by Trend Micro.
As usual the spam email looks like the legitimate one, it is written in a good German and presents a clean layout.
The researchers at Trend Micro explained that the malicious app is not hosted on the official Google Play, this means that all the users that have disabled the setting on allowing the installation of applications only from Google Play are potentially at risk.
When victims download and install the bogus app, the banking Trojan will ask for device administrator privileges to perform a series of actions on the device.
“Even if the user decides to not grant device administrator privileges, the malicious app will still disappear from the home screen and continue to run in the background. It is also removed from the launcher screen, making it almost impossible to interact with and/or remove.” continues the post.
The bogus PayPal app is able to perform UI hijacking, this feature is very insidious because allows the malware to impersonate a number of legitimate apps everytime the user is required to enter its credentials. The same feature is used to steal credentials when users access the legitimate PayPal app.
“Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user’s PayPal credentials,” is explained in the post. “Aside from PayPal, the code also targets other banking apps like “Commerzbank”, which is a famous bank in Germany.”
The experts at Trend Micro have identified more than 200 malicious apps that belong to this particular malware family. Crooks used is disguising the malicious agent as Flash Player, game apps and adult apps.
Let me close reporting the suggestion published by Trend Micro to avoid the infection:
(Security Affairs – PayPal scam, malware)