An Android malware is attacking Uber users with a fake version of the ride-hailing service’s app in order to steal their login and passwords.
UPDATE: An Uber spokesperson told BGR India in a statement, “Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources However, we want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password.”
As reported by Symantec, the malware is a version of Android.Fakeapp, an Android trojan that attackers have been using to display advertisements and collect information from compromised devices since 2012. Essentially, the Fakeapp variant has a spoofed Uber application user interface, which pops up on the user’s device screen in regular intervals until the user gets tricked into entering their Uber ID (typically the registered phone number) and password. Once the user puts in details and clicks the Next button, the malware sends the user ID and password to its remote server.
Then, in order to avoid any suspicion or alarming the user, the malware displays a screen of the legitimate app that shows the user’s current location, which would not normally arouse suspicion because that’s what’s expected of the actual app.
“This is where creators of this Fakeapp variant got creative. To show the said screen, the malware uses the deep link URI of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point,” Symantec points out. “Deep links are URLs that take users directly to specific content in an app. Deep linking in Android is a way to identify a specific piece of content or functionality inside an app. It is much like a web URL, but for applications.”
It’s likely the attackers will either attempt to exploit this stolen information for their own gain, performing scams, or try to sell it to others on dark web underground forums. However, it is fortunate that the malware has spread to very limited users. “Users are likely in Russian-speaking countries in limited number. We don’t anticipate such an app to be in widescale distribution,” Venkatesan told ZDNet.
“This case again demonstrates malware authors’ never-ending quest for finding new social engineering techniques to trick and steal from unwitting users,” said Dinesh Venkatesan, principal threat analysis engineer at Symantec.
The gateway for the malware isn’t believed to be the Google Play store itself, rather comes from downloading applications from third-party websites, and isn’t thought to be widespread.