This is hard to make working for several reasons.
First, as mentioned by others, not all OSes allow popup windows. WebOS for example, instead pops-up alerts in the lower status bar. The user is the only one who can switch around windows (cards, in webOS). The only exception is, when one application spawn another one, there is a distinct animation making a new card appear.
The second reason, is variability. Your example would require a single task system. In real life, even phone OSes are moving toward even more multi-tasking. The 23752 bytes you mention will be lost in a sea of other memory change. Maybe the malicious application, between probes, would register an increase of memory consumption of about 67849 bytes, because not only paypal's page was opened, but also between the memory check the user received an message and the messaging application started automatically downloading the attached picture. (And that's just taking into acount application with direct memory management. Now, if you add in the mix languages that use deffered garbage collection, memory consumption gets even weirder).
Third reason is also availablity. You example require the paypal page to always have the exact same size down to the byte in order to be easily recognisable. Saddly, in real life, developers are constantly tuning their code. It might be 23752 today, it could be 34756 tomorrow. And that's just the size it-self. You've probably noticed, but nowadays every single company feels compelled to re-invent their interface, Facebook is far from having the monopolly on completely changing its interface whenever somebody sneezes. That means that the bogus paypal page displayed by the attacked software might look like an older version instead of looking like all other current instances. (Now, that's not a guarantee that the user will notice that something is fishy. Less attentive users will probably dismiss it as "Meh, another of these almost-weekly UI re-invention"). Still, these kind of change will make it terribly difficult to use the free memory tracking that you propose.
Last reason: banks. Some banks ask the user to confirm the transaction out-of-band (mine does make confirm credit-card transaction). A user thinking to buy an In-App extra 10$ with paypal would be surprised to receive an SMS asking confirmation for a credit-card transaction of 10'000$.