Banking Malware Masked as PayPal App Targeting Android Users

Hackers are targeting users with fake PayPal app update email which actually comes with an embedded link of an Android banking malware.

Recently, an email circulation has been let loose by hackers. This email looks quite official in design and content, asking the recipient to update their Android PayPal app.

If the users click on the given link, a download is triggered. This download is a mobile online banking Trojan that has been detected by Trend Micro as AndroidOS_Marchcaban.HBT.


Trend Micro says in a post that the language used in the email suggests that people living in Germany are their main target. It also reports that this email has been sent over 14,000 times in variations. 

Screenshot of the email sent by the hackers / Image Source: Trend Micro
Screenshot of the email sent by the hackers / Image Source: Trend Micro

After a user installs this application, a request to act as system administrator appears on the screen along with a request relating to other privileges.

Permissions request from the malware app

“Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user’s PayPal credentials,” the post said. Furthermore, it has been said that this code is also employed to target various banking-related apps like Commerzbank.

Once the user installs the so-called update, the malware checks for the original PayPal app. Once detected, the malware puts up its own UI on the top of the original PayPal app which lets the fake app steal your PayPal login data. 

Trend Micro 

Related Posts