That PayPal Trojan story is stupid and a waste of everyone's time
Some of us woke up to what seemed like a serious security scare for a lot of Android users this morning.
This story was accompanied by a scary video, which demonstrated this rogue app "watching" you log in to PayPal and then copying your process to log in. What makes this particularly scary looking is the way it appears to bypass 2-Factor Authentication and then sending money on your behalf. Without the user ever knowing, this app was logging in for you and sending your money away. Terrifying stuff, right? Well, there's a catch. Actually, there are several.
The first, as pointed out by the original team reporting this trojan (emphasis mine):
Ok, so this rogue battery optimization tool isn't available through Google Play at all. Check. Now, when the app is installed how does it do its thing? Does this app really operate in the background with the user none the wiser? Well, not exactly. Again, from the original team reporting on this (emphasis mine):
That's right, you get a permission request when this rogue app is first run. And that "innocuous-sounding"' permission includes the words Observe your actions in the description in great big bold letters. Not exactly a red flashing warning, but like any permission you have to choose to enable it. If you don't, the app can't do anything.
So once this rogue battery app is installed from a third-party source and you blindly give it access to your phone by not reading your permissions, does it just lurk in the background waiting to strike? No. Once again, from the original team reporting on this (emphasis mine):
You get a notification telling you to log in to PayPal from something that isn't PayPal, and you just do it? Really? That's not how any of this works.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
So to recap, this Super Serious Android Trojan:
- Was not in the Google Play Store, so you have to download from a random store and enable Unknown Sources to even install it.
- Asks for a fairly unusual permission as soon as you open it.
- Immediately gives you a notification asking you to log in to PayPal.
Individually, these are warning flags. Together, this is basically someone sending you a letter in the mail asking you to let them know when you won't be home so they can rob you.
This isn't a real security threat. At all. Though what is a real security threat is PayPal still relying on nothing but a text message delivery for Two-Factor Authentication. It's 2018, folks. Get a real token system.