新的Android Trojan使用PayPal的官方应用窃取资金

There have been some bad trojans found on Android, but this is possibly one of the worst. This new threat automates a PayPal transaction for $1000 and sends it using the official PayPal app—even on accounts with 2FA enabled.

在Android上发现了一些坏木马，但这可能是最坏的木马之一。 这种新的威胁会自动执行一笔1000美元的PayPal交易，并使用官方的PayPal应用发送该交易，即使是启用了2FA的帐户也是如此。

贝宝劫持 (The PayPal Hijack)

It does this using a couple of different methods and leveraging Android’s Accessibility services. The malicious app is currently disguising itself as an Android optimization tool and has been making its way onto users’ phones through third-party app stores. So for starters, don’t use third-party app stores.

它使用两种不同的方法并利用Android的辅助功能服务来完成此任务。 该恶意应用当前伪装成Android优化工具，并已通过第三方应用商店进入用户的手机。 因此，对于初学者而言，请勿使用第三方应用商店。

When installed, “Optimization Android” (seriously, why would you install something with a name like this in the first place?) also creates an Accessibility service called “Enable statistics.” It then requests access to this feature, which seems harmless enough—it will allow the app to monitor user actions and retrieve window content. If you think it’s all in the name of making your phone faster, it almost makes sense.

安装后，“ Optimization Android”(严重的是，为什么您首先要安装这样的名称？)还会创建一个名为“启用统计信息”的可访问性服务。 然后，它请求访问此功能，这似乎已经足够无害了，它将允许该应用监视用户操作并检索窗口内容。 如果您以提高手机速度为名，那几乎是有道理的。

But that’s where things get worse because now the trojan can effectively emulate touches. It generates a notification that looks like it’s from PayPal urging the user to log in.

但这会使情况变得更糟，因为现在该木马可以有效地模拟触摸。 它会生成一条类似于PayPal的通知，敦促用户登录。

When tapped, this notification opens the official PayPal app (if installed)—so this isn’t a phishing attempt. The official app opens and asks the user to log in. Since this a legitimate login attempt within the official app, 2FA does nothing to secure the account—you’ll just log in as normal, entering your 2FA code when it comes in.

轻按此通知后，它将打开官方的PayPal应用程序(如果已安装)-因此这不是网络钓鱼尝试。 官方应用程序将打开并要求用户登录。由于这是官方应用程序中的合法登录尝试，因此2FA不会保护帐户安全-您只需照常登录，然后输入2FA代码即可。

Once you’re logged in, the malicious app takes over, transferring $1000 from your PayPal account to the attacker. This automated process happens in fewer than five seconds. We Live Security made a video of the entire process, and it’s pretty crazy how fast it all happens:

登录后，恶意应用程序将接管业务，将1000美元从您的PayPal帐户转移到攻击者。 此自动化过程在不到五秒钟的时间内完成。 我们的Live Security录制了整个过程的视频，这一切发生得如此之快非常疯狂：

By the time you realize what’s going on, it’s too late to stop it. The only thing that stops the process once it’s started is if the PayPal balance is too low and there are no other funding methods. So it just cancels by default. Otherwise, you’re out a grand.

当您意识到正在发生的事情时，现在停止它已经为时已晚。 一旦启动该流程，唯一会停止的过程就是PayPal余额太低并且没有其他融资方式。 因此，默认情况下它只是取消。 否则，您就大失所望了。

But it doesn’t end there.

但这还不止于此。

叠加攻击 (The Overlay Attack)

Not only does this particular trojan attack the user’s PayPal account, but it also uses Android’s Screen Overlay feature to place illegitimate login screens over legitimate apps.

这种特定的木马不仅会攻击用户的PayPal帐户，而且还会使用Android的“屏幕覆盖”功能在合法应用上放置非法登录屏幕。

The malware downloads HTML overlay screens for Google Play, WhatsApp, Skype, and Viber, then uses them to phish credit card details. It can also create an overlay for a Gmail login, stealing the user’s login credentials.

该恶意软件会下载Google Play，WhatsApp，Skype和ViberHTML覆盖屏幕，然后使用它们来仿冒信用卡详细信息。 它还可以为Gmail登录创建覆盖，从而窃取用户的登录凭据。

While the overlay attack is currently limited to the aforementioned apps, the list could be updated at any time, meaning this type of attack can be expanded at any point to steal basically any type of information the attacker wants. We Live Security goes on to highlight that the attacker could be exploring other options for using the overlay:

尽管覆盖式攻击当前仅限于上述应用，但列表可以随时更新，这意味着可以在任何时候扩展这种攻击，以基本上窃取攻击者想要的任何类型的信息。 我们的Live Security继续强调指出，攻击者可能正在探索使用叠加层的其他选项：

According to our analysis, the authors of this Trojan have been looking for further uses for this screen-overlaying mechanism. The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions. It is unclear whether the attackers behind this Trojan are also planning to extort money from victims, or whether this functionality would merely be used as a cover for other malicious actions happening in the background.

根据我们的分析，该木马的作者一直在寻找这种屏幕覆盖机制的进一步用途。 该恶意软件的代码包含一些字符串，这些字符串声称受害者的电话已被锁定以显示儿童色情内容，并且可以通过向指定地址发送电子邮件来对其进行解锁。 这样的说法让人想起早期的移动勒索软件攻击，受害人害怕被认为是由于著名的警察制裁而锁定了他们的设备。 目前尚不清楚此木马背后的攻击者是否还计划从受害者那里勒索钱财，或者此功能是否仅用作掩盖在后台发生的其他恶意行为。

如何保持安全 (How to Stay Safe)

While we have a detailed piece on how to avoid Android malware, here’s a TL;DR for staying safe:

虽然我们有关于如何避免Android恶意软件的详细内容，但以下是保持安全的TL; DR：

1. Only install apps from Google Play. Avoid third-party app stores, especially ones that promise paid apps for free.

   仅从Google Play安装应用。 避免使用第三方应用商店，尤其是那些承诺免费提供付费应用的商店。

2. Exercise caution when sideloading. If sideloading an app, make sure it’s legit first.

   侧面装载时请小心。   如果要侧面加载应用程序，请先确保它是合法的。

3. Don’t install pirated apps. Seriously. It’s not only crappy, but potentially opens you up to all sorts of malicious crap.

   不要安装盗版应用。   说真的 这不仅令人cr脚，而且还可能使您面临各种各样的恶意废话。

4. Do your research. Even when using Google Play, read reviews and pay attention—while more secure than most third-party stores, the Play Store isn’t completely impervious to malware.

   做你的研究。 即使在使用Google Play时，阅读评论并留神-尽管它比大多数第三方商店都更安全，但Play商店并不完全不受恶意软件的侵害。

Source: We Live Security

资料来源： We Live Security

翻译自: https://www.howtogeek.com/fyi/new-android-trojan-steals-your-money-using-paypals-official-app/