A PayPal credential stealing fake Android app, masquerading as a service to generate money from watching in-app YouTube videos, has been discovered by cyber security researchers from ESET.
Boost Views on the Google Play store was found to have the Tojan.Android/FakeApp.FK malware and under the guise of providing users with real money in return for views on YouTube, scams users to part with their PayPal details.
Having generated $0.09 in 16 hours of automatic video playing and having seen no mention of a minimum payout threshold, we tried to withdraw the earned amount.
ESET’s researchers noted that there appeared to be no minimum payout threshold for the views, and so they attempted to withdraw the money they earned while investigating the app, where they discovered the crux of the scam.
“In order to withdraw money, PayPal credentials must first be entered into an insecure login form for “authentication”. Once victims enter their credentials, they are confronted with an “invalid login” error message and their PayPal credentials are sent unencrypted to developer’s server,” they said.
“With PayPal account compromised, the victims’ PayPal and/or credit card balance are open for misuse.”
While the researchers said that PayPal has so far not reported any suspicious activity on the account they have used to test Boot Views, it still offers little comfort for users who have had their PayPal details compromised.
Through the use of a bogus login screen, PaxVendor looks to harvest users’ Paxful login details while offering no real functionality in return by generating a error noting the users’ that it cannot access their Paxful account, while sending the login credentials to a server used by the scammer.
The researchers noted that someone signed into their account from the Ukraine shortly after they entered their Paxful credentials into PaxVendor.
The malicious app has been pulled by Google from the Play store, but the ESET researchers noted that 500 installs have been made before PaxVendor was shutdown.
Both examples of fake Android apps indicate the need for users to be extra vigilant for app scams pretending to offer a money-making service in return for very little, and indicate the continued rise of sophisticated scamming malware as vectors for cyber attacks.
What do you know about the mobile app revolution?Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…