ESET has come across an Android trojan capable of defeating the multifactor authentication required to access the official PayPal app.

Multifactor authentication (2FA) has become a keystone for many organizations and individuals attempting to secure their data, but one cybergang has created an app masquerading as a battery optimization tool in third-party Android stores that tricks the victim into giving up their 2FA credentials, ESET reported.

The app, once downloaded, immediately stops its advertised functionality and hides its icon and then first searches to see if the victim has a PayPal account. If so it displays a notification alert asking for permission to observe the phone’s actions and receive notifications when interacting with the app and to retrieve any content being displayed on the screen.

The malware then issues a prompts asking the victim to open their PayPal account and log in, which allows the previously allowed permissions to capture what the user inputs. The malicious app then uses this info to send money to the criminals PayPal account.

In ESET’s research it found the user tries to remove 1,000 Euros from its account with the entire transaction taking about five seconds, too fast for the victim to try and stop it. To pour salt into the victim’s wound this process happens every time the person accesses their PayPal account. However, the theft fails if there are insufficient funds in the account, what the

“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA,” ESET wrote.

ESET has notified PayPal of the attack modus operandi and the account receiving the stolen funds.