There have been some bad trojans found on Android, but this is possibly one of the worst. This new threat automates a PayPal transaction for $1000 and sends it using the official PayPal app—even on accounts with 2FA enabled.

The PayPal Hijack

It does this using a couple of different methods and leveraging Android’s Accessibility services. The malicious app is currently disguising itself as an Android optimization tool and has been making its way onto users’ phones through third-party app stores. So for starters, don’t use third-party app stores.

When installed, “Optimization Android” (seriously, why would you install something with a name like this in the first place?) also creates an Accessibility service called “Enable statistics.” It then requests access to this feature, which seems harmless enough—it will allow the app to monitor user actions and retrieve window content. If you think it’s all in the name of making your phone faster, it almost makes sense.

But that’s where things get worse because now the trojan can effectively emulate touches. It generates a notification that looks like it’s from PayPal urging the user to log in.

When tapped, this notification opens the official PayPal app (if installed)—so this isn’t a phishing attempt. The official app opens and asks the user to log in. Since this a legitimate login attempt within the official app, 2FA does nothing to secure the account—you’ll just log in as normal, entering your 2FA code when it comes in.

Once you’re logged in, the malicious app takes over, transferring $1000 from your PayPal account to the attacker. This automated process happens in fewer than five seconds. We Live Security made a video of the entire process, and it’s pretty crazy how fast it all happens:

By the time you realize what’s going on, it’s too late to stop it. The only thing that stops the process once it’s started is if the PayPal balance is too low and there are no other funding methods. So it just cancels by default. Otherwise, you’re out a grand.

But it doesn’t end there.

The Overlay Attack

Not only does this particular trojan attack the user’s PayPal account, but it also uses Android’s Screen Overlay feature to place illegitimate login screens over legitimate apps.

The malware downloads HTML overlay screens for Google Play, WhatsApp, Skype, and Viber, then uses them to phish credit card details. It can also create an overlay for a Gmail login, stealing the user’s login credentials.

While the overlay attack is currently limited to the aforementioned apps, the list could be updated at any time, meaning this type of attack can be expanded at any point to steal basically any type of information the attacker wants. We Live Security goes on to highlight that the attacker could be exploring other options for using the overlay:

According to our analysis, the authors of this Trojan have been looking for further uses for this screen-overlaying mechanism. The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions. It is unclear whether the attackers behind this Trojan are also planning to extort money from victims, or whether this functionality would merely be used as a cover for other malicious actions happening in the background.

How to Stay Safe

While we have a detailed piece on how to avoid Android malware, here’s a TL;DR for staying safe:

Only install apps from Google Play. Avoid third-party app stores, especially ones that promise paid apps for free. Exercise caution when sideloading. If sideloading an app, make sure it’s legit first. Don’t install pirated apps. Seriously. It’s not only crappy, but potentially opens you up to all sorts of malicious crap. Do your research. Even when using Google Play, read reviews and pay attention—while more secure than most third-party stores, the Play Store isn’t completely impervious to malware.

RELATED: How to Avoid Malware on Android