A vicious phishing attack is currently running rife in Germany targeting PayPal users, trying to get them to download what on the surface looks like the official PayPal app, but is actually a banking trojan.
The email was descibed by researchers at Trend Micro as being as very well executed, saying it includes the PayPal logo, passable German, some basic clean design and some recipients were likely convinced into installing the app.
Trend Micro reports that the malicious app is not currently on the Google Play Store and says that this is where the Android setting that disallows the installation of non-Market applications can really save users.
If the app is actually downloaded and installed, the Trojan will ask to become a “device administrator”. This should hide the app away and make it very difficult to remove as it uses UI tracking, as well as allowing it to make changes such as changing the password in the screen-unlocking feature, set password rules and set storage encryption.
"Even if the user decides to not grant device administrator privileges, the malicious app will still disappear from the home screen and continue to run in the background. It is also removed from the launcher screen, making it almost impossible to interact with and/or remove," the researchers warn.
"Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user's PayPal credentials".
The attackers carrying this out are not only misuing the PayPal name to get people to download the app, the same malware also comes disguised as Flash Player, game apps and adult apps.
Trend Micro advises lots of caution in what apps are downloaded and installed, repeating the widespread industry mantra not to trust unsolicited emails that tell them to download an app.