Fake PayPal app is going after German users’ banking credentials
An email spam run impersonating PayPal is actively targeting German Android users and trying to trick them into downloading what is ostensibly the official PayPal app, but is actually a banking Trojan.
The fake email looks pretty believable – the PayPal logo, (relatively) good German, some basic clean design – and some recipients were likely convinced into installing the app.
According to Trend Micro researchers, the malicious app is not hosted on Google Play. This is where the Android setting set on disallowing the installation of non-Market application can really save users.
If a user proceeds with downloading and installing the app, the Trojan will ask to be made a “Device Administrator”. This will help it hide from the user’s sight and make it more difficult to remove, as well as allow it to perform a number of other changes:
“Even if the user decides to not grant device administrator privileges, the malicious app will still disappear from the home screen and continue to run in the background. It is also removed from the launcher screen, making it almost impossible to interact with and/or remove,” the researchers warn.
The fake app/Trojan is able to perform UI hijacking, which will allow it to impersonate a number of legitimate apps when the user is required to enter their login credentials to perform an action.
“Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user’s PayPal credentials,” they explained. The same thing happens when the victim tries to use the official online banking app of German Commerzbank, and several other banks popular in the country.
Unfortunately for potential targets, the crooks behind this scheme are not only misusing the good name of PayPal to trick users into installing this Trojan. The same malware also comes disguised as Flash Player, game apps and adult apps.
Users are advised to be careful about the apps they install (check the permissions it asks), and not to trust unsolicited emails urging them to download something.”