{
	"id": "33e013b2-7bdd-4d4f-ac05-41fe7fd8e293",
	"created_at": "2026-04-06T00:12:06.929074Z",
	"updated_at": "2026-04-10T03:30:33.482021Z",
	"deleted_at": null,
	"sha1_hash": "8bc9c55f0d1923cd742197813326d8efc071f340",
	"title": "Android Trojan steals money from PayPal accounts even with 2FA on",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1571576,
	"plain_text": "Android Trojan steals money from PayPal accounts even with 2FA\r\non\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:46:14 UTC\r\nThere is a new Trojan preying on Android users, and it has some nasty tricks up its sleeve.\r\nFirst detected by ESET in November 2018, the malware combines the capabilities of a remotely controlled\r\nbanking Trojan with a novel misuse of Android Accessibility services, to target users of the official PayPal app.\r\nAt the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores.\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 1 of 9\n\nFigure 1 – The disguise used by the malware at the time of writing\r\nHow does it operate?\r\nAfter being launched, the malicious app terminates without offering any functionality and hides its icon. From\r\nthen on, its functionality can be broken down into two main parts, as described in the following sections.\r\nMalicious Accessibility service targeting PayPal\r\nThe malware’s first function, stealing money from its victims’ PayPal accounts, requires the activation of a\r\nmalicious Accessibility service. As seen in Figure 2, this request is presented to the user as being from the\r\ninnocuous-sounding “Enable statistics” service.\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 2 of 9\n\nFigure 2 – Malware requesting the activation of its accessibility service, disguised as “Enable statistics”\r\nIf the official PayPal app is installed on the compromised device, the malware displays a notification alert\r\nprompting the user to launch it. Once the user opens the PayPal app and logs in, the malicious accessibility service\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 3 of 9\n\n(if previously enabled by the user) steps in and mimics the user’s clicks to send money to the attacker’s PayPal\r\naddress.\r\nDuring our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s\r\nlocation. The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to\r\nintervene in time.\r\nBecause the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the\r\nofficial PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled\r\nsimply complete one extra step as part of logging in, – as they normally would – but end up being just as\r\nvulnerable to this Trojan’s attack as those not using 2FA.\r\nThe video below demonstrates this process in practice.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account.\r\nThe malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could\r\ntake place multiple times.\r\nWe have notified PayPal of the malicious technique used by this Trojan and the PayPal account used by the\r\nattacker to receive stolen funds.\r\nBanking Trojan relying on overlay attacks\r\nThe malware’s second function utilizes phishing screens covertly displayed over targeted, legitimate apps.\r\nBy default, the malware downloads HTML-based overlay screens for five apps – Google Play, WhatsApp, Skype,\r\nViber, and Gmail – but this initial list can be dynamically updated at any moment.\r\nFour of the five overlay screens phish for credit card details (Figure 3); the one targeting Gmail is after Gmail\r\nlogin credentials (Figure 4). We suspect this is connected to the PayPal-targeting functionality, as PayPal sends\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 4 of 9\n\nemail notifications for each completed transaction. With access to the victim’s Gmail account, the attackers could\r\ndelete such emails to remain unnoticed longer.\r\nFigure 3 – Malicious overlay screens for Google Play, WhatsApp, Viber and Skype, requesting credit card details\r\nFigure 4 – Malicious overlay screens phishing for Gmail credentials\r\nWe’ve also seen overlay screens for legitimate banking apps requesting login credentials to victims’ internet\r\nbanking accounts (Figure 5).\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 5 of 9\n\nFigure 5 – Malicious overlay screen for the NAB (National Australia Bank) Mobile Banking app\r\nUnlike overlays used by most Android banking Trojans, these are displayed in lock foreground screen – a\r\ntechnique also used by Android ransomware. This prevents the victims from removing the overlay by tapping the\r\nback button or the home button. The only way to get past this overlay screen is to fill out the bogus form, but\r\nfortunately, even random, invalid inputs make these screens disappear.\r\nAccording to our analysis, the authors of this Trojan have been looking for further uses for this screen-overlaying\r\nmechanism. The malware’s code contains strings claiming the victim’s phone has been locked for displaying child\r\npornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early\r\nmobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 6 of 9\n\npolice sanctions. It is unclear whether the attackers behind this Trojan are also planning to extort money from\r\nvictims, or whether this functionality would merely be used as a cover for other malicious actions happening in\r\nthe background.\r\nBesides the two core functions described above, and depending on commands received from its C\u0026C server, the\r\nmalware can also:\r\nIntercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication)\r\nObtain the contact list\r\nMake and forward calls\r\nObtain the list of installed apps\r\nInstall app, run installed app\r\nStart socket communication\r\nAccessibility Trojans also lurking on Google Play\r\nWe also spotted five malicious apps with similar capabilities in the Google Play store, targeting Brazilian users.\r\nThe apps, some of them also reported by Dr. Web and now removed from Google Play, posed as tools for tracking\r\nthe location of other Android users.  In reality, the apps use a malicious Accessibility service to navigate inside\r\nlegitimate applications of several Brazilian banks. Besides that, the Trojans phish for sensitive information by\r\noverlaying a number of applications with phishing websites. The targeted applications are listed in the IoCs\r\nsection of this blogpost.\r\nFigure 6 – One of the malicious apps on Google Play\r\nInterestingly, these Trojans also use Accessibility to thwart uninstallation attempts by repeatedly clicking the\r\n“Back” button whenever a targeted antivirus app or app manager is launched, or when strings suggesting\r\nuninstallation are detected in the foreground.\r\nHow to stay safe\r\nThose who have installed these malicious apps will have likely already fallen victim to one of their malicious\r\nfunctions.\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 7 of 9\n\nIf you have installed the PayPal-targeting Trojan, we advise you to check your bank account for suspicious\r\ntransactions and consider changing your internet banking password/PIN code, as well as Gmail password. In case\r\nof unauthorized PayPal transactions, you can report a problem in PayPal’s Resolution Center.\r\nFor devices that are unusable due to a lock screen overlay displayed by this Trojan, we recommend using\r\nAndroid’s Safe Mode, and proceed with uninstalling an app named “Optimization Android” under Settings \u003e\r\n(General) \u003e Application manager/Apps.\r\nUninstalling in Safe Mode is also recommended for Brazilian users who installed one of the Trojans from Google\r\nPlay.\r\nTo stay safe from Android malware in the future, we advise you to:\r\nStick to the official Google Play store when downloading apps\r\nMake sure to check the number of downloads, app ratings and the content of reviews before downloading\r\napps from Google Play\r\nPay attention to what permissions you grant to the apps you install\r\nKeep your Android device updated and use a reliable mobile security solution; ESET products detect these\r\nthreats as Android/Spy.Banker.AJZ and Android/Spy.Banker.AKB\r\nIndicators of Compromise (IoCs)\r\nAndroid Trojan targeting PayPal users\r\nPackage Name Hash ESET detection name\r\njhgfjhgfj.tjgyjgjgjy 1C555B35914ECE5143960FD8935EA564 Android/Spy.Banker.AJZ\r\nAndroid banking Trojan targeting Brazilian users\r\nPackage Name Hash ESET detection name\r\nservice.webview.kiszweb FFACD0A770AA4FAA261C903F3D2993A2 Android/Spy.Banker.AKB\r\nservice.webview.webkisz D6EF4E16701B218F54A2A999AF47D1B4 Android/Spy.Banker.AKB\r\ncom.web.webbrickd 5E278AAC7DAA8C7061EE6A9BCA0518FE Android/Spy.Banker.AKB\r\ncom.web.webbrickz 2A07A8B5286C07271F346DC4965EA640 Android/Spy.Banker.AKB\r\nservice.webview.strongwebview 75F1117CABC55999E783A9FD370302F3 Android/Spy.Banker.AKB\r\nTargeted applications (phishing overlays)\r\ncom.uber\r\ncom.itaucard\r\ncom.bradesco\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 8 of 9\n\nbr.com.bb.android\r\ncom.netflix\r\ngabba.Caixa\r\ncom.itau\r\nAny app containing the string “twitter”\r\nTargeted applications (in-app navigation)\r\ncom.bradesco\r\ngabba.Caixa\r\ncom.itau\r\nbr.com.bb\r\nAny app containing the string “santander”\r\nTargeted antivirus apps and app managers\r\ncom.vtm.uninstall\r\ncom.ddm.smartappunsintaller\r\ncom.rhythm.hexise.uninst\r\ncom.GoodTools.Uninstalle\r\nmobi.infolife.uninstaller\r\nom.utils.uninstalle\r\ncom.jumobile.manager.systemapp\r\ncom.vsrevogroup.revouninstallermobi\r\noo.util.uninstall\r\nom.barto.uninstalle\r\nom.tohsoft.easyuninstalle\r\nvast.android.mobile\r\nom.android.cleane\r\nom.antiviru\r\nom.avira.andro\r\nom.kms.free\r\nSource: https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nhttps://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
	],
	"report_names": [
		"android-trojan-steals-money-paypal-accounts-2fa"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434326,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bc9c55f0d1923cd742197813326d8efc071f340.pdf",
		"text": "https://archive.orkl.eu/8bc9c55f0d1923cd742197813326d8efc071f340.txt",
		"img": "https://archive.orkl.eu/8bc9c55f0d1923cd742197813326d8efc071f340.jpg"
	}
}