Security researchers at Symantec have discovered a new variant of Android malware that is aiming to steal Uber passwords and login credentials.

The malware is a new variation on Android.Fakeapp, a common malware targeting Android devices. Previous versions of the attack have aimed to steal credit card numbers and other personal information, but the latest variant is specifically targeting Uber users.

The focus on Uber passwords makes sense for the attackers purely in terms of the number of users who could be affected by an attack. Uber is one of the most popular apps in the Google Play Store and has been installed on as many as 500 million devices worldwide. It also has a global reach, as Uber operates in more than 80 countries around the world.

Android.Fakeapp has been around since at least 2012, and the latest variant operates much the same as previous versions of the attack. The malware is most often installed when users download an infected app posing as a legitimate application. These apps are generally found in third-party app stores that do not offer the same protection as the Google Play Store—though malware has snuck through the cracks of Google’s firewall on several occasions.

Once installed on a device, Android.Fakeapp spoofs the Uber application user interface that would appear when the user opens Uber. The screen asks the user to enter their Uber login ID—either a phone number or email address—and password.

When the user enters the information, it isn’t actually providing it to Uber; the malware is using the fake interface to steal the login information from the victim. When the user goes to login with the information, it is sent to a remote server controlled by the attackers.

After hijacking the victim’s username and password, the malware makes an effort to hide its behavior by directing users to another screen that appears as though it’s from the legitimate Uber app. It displays a screen that shows the user’s location like they would see upon opening Uber to order a ride.

While this type of obfuscation isn’t necessarily uncommon, Symantec notes that the creators of the Fakeapp.Android variant “got creative” with the process.

In order to display the Uber screen where users can order a ride, the malware uses what is called a deep link URL from the legitimate app that contains information about the user’s Ride Request activity. It also preloads the victim’s current location as the pickup point.

Like most URLs, deep links direct to a specific piece of content. Instead of a webpage like a standard URL, a deep link goes directly to a specific piece of information found in an app. Deep linking is typically used to launch a specific page or function within an app. It’s like directing a person to a specific webpage on a site rather than sending them to the homepage of the site and requiring them to click through to find the page.

In order to avoid installing Android.Fakeapp and other malware that could steal passwords, Symantec researchers recommend keeping Android software up to date, avoid downloading apps from sources outside of the Google Play Store and install a trusted mobile security app that can help detect threats before they can execute.

Of course, many Uber passwords have already been exposed on at least one occasion. The company suffered a security breach in 2016 that compromised as many as 57 million users and hid the breach for more than a year.

RELATED STORIES
Google Software Uber Android