This Android malware mimics Uber to steal your login and password

The FakeApp trojan has returned with new tricks to stop users noticing they've been duped.
Written by Danny Palmer, Senior Writer

Video: Ransomware using trojan trick to expand threat

Uber users with Android smartphones are being targeted with malware that shows victims a fake version of the ride-hailing service, in order to steal their credentials.

The malware is a variant of FakeApp, an Android trojan that attackers have been using to display advertisements and collect information from compromised devices since 2012.

Now the malware has set its sights on stealing the user IDs and passwords of Uber accounts.

Uncovered by researchers at Symantec, the malware displays a spoofed version of the Uber app, encouraging the user to enter their user ID in the form of their registered phone number and password. Once this information is entered, it sends the information to a remote server.

It's likely the attackers will either attempt to exploit this stolen information for their own gain, performing scams, or try to sell it to others on dark web underground forums.

Whatever their ultimate aim in stealing Uber credentials, those behind FakeApp have gone out of their way to ensure this version of the malware hides its tracks and doesn't arouse suspicion from the user.


The malware users a fake Uber overlay to steal user credentials.

Image: Getty

In order to do thus, the malware shows the user a screen of the legitimate Uber app which displays their current location - which is what happens with the real Uber when the user logs in to request a ride.

The attackers achieve this by using deep links within the Uber application in order to specifically redirect to the Ride Request activity section of the app - all while the victim remains none the wiser that they've been duped by a malicious version of the app.

See also: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

"This case again demonstrates malware authors' neverending quest for finding new social engineering techniques to trick and steal from unwitting users," said Dinesh Venkatesan, principal threat analysis engineer at Symantec.

The malware isn't downloaded from the Google Play store itself, but rather comes from downloading applications from third-party websites, and isn't thought to be widespread.

"Users are likely in Russian-speaking countries in limited number. We don't anticipate such an app to be in widescale distribution," Venkatesan told ZDNet.

In order to protect against falling victim to FakeApp, Uber recommends that users only download apps from the official Android marketplace.

"Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources," an Uber spokesperson told ZDNet.

The company also said it has safeguards in place to ensure that users' accounts are protected, and can't be abused by hackers and other unauthorised users.

"We want to protect our users even if they make an honest mistake and that's why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password," Uber said.

In order to have the greatest chance of staying safe from malware, Symantec recommends Android users stick to downloading apps from Google Play - although it isn't unknown for malicious apps to find their way into the official Android store.

Recent and related coverage

CoreBot banking trojan malware returns after two-year break
Malware steals login details of online banking customers of TD, Des-Jardins, RBC, Scotia Bank, and Banque National in Canada.
Trojan malware attacks by North Korean hackers are attempting to steal Bitcoin
Researchers at Secureworks say trojan malware is being distributed in phishing emails using the lure of a fake job advert


Editorial standards