Wave Systems Corp. (fka WAVXQ)

[Genz2]

Android Malware Steals from PayPal Accounts

https://www.infosecurity-magazine.com/news/android-malware-steals-from-paypal?utm_source=twitterfeed&utm_medium=twitter

What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from PayPal accounts, even with 2FA on.

The malware reportedly disguises itself as a battery optimization tool, and threat actors distribute it via third-party apps. “After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts,” researchers wrote.

In a video recording, researchers demonstrated an attempt to steal money from a PayPal account after the user had logged into the app. While the researchers were analyzing the malware, the PayPal app attempted to send €1,000, which failed when the app requested that the user link a new card due to insufficient funds.

The malware also attempted to steal login credentials and used phishing screens in overlay attacks on Google Play, WhatsApp, Skype, Viber and Gmail. “The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions,” researchers wrote.

According to Will LaSala, director of security solutions, security evangelist, OneSpan, the attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and demonstrates how easily an overlay attack can hijack a strong application.

“What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device. What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.”
=================================================================
Wave was at one point testing authentication under NSTIC with Paypal using Android devices. Why not use Wave Knowd with android devices (Samsung) to have a better 2FA than what was done in the article?!?! Paypal could have better security for its customers and Samsung could have better security for its customers (see previous Samsung post)!! Wave must have already done extensive testing with Paypal and Samsung. imo.
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords

https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords

Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services