IT security researchers at Symantec have discovered malware that secretly spies upon Uber’s Android app and extracts private, sensitive data such as users’ passwords. This allows attackers to hijack the accounts owned by Uber users and has been dubbed as Android.Fakeapp.
The Android malware is capable of mimicking Uber’s interface; it was identified after various Trojan pop-ups were observed by the researchers on the screen at regular intervals. The purpose was to fool the users into giving away their phone numbers and passwords.
When the user presses Enter, the malware sends login credentials to a remote server. The attackers would receive the information and use it to compromise accounts and sell them off to other hackers on the black market.
“In order to steal a user’s login information, the malware pops up on-screen regularly and prompts the user to enter their Uber username and password. Once a user falls for the attack and enters their information, it gets swept up by the attacker.”
This Fakeapp variant also gives a false sense of security to the user apart from showing a fake log-in screen of Uber. This is done to prevent users from suspecting any foul play and changing their password before the malware is able to obtain the required information.
According to Symantec’s findings, the case shows that malware creators are always eagerly looking to find new social engineering tricks to trap users.
They recommended that users must keep their software updated and install a reliable anti-malware app to prevent malware from infecting the device. Furthermore, it is suggested that apps from unfamiliar websites are not downloaded at all.
“We recommend only downloading apps from trusted sources. However, we want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password.”
To cover up the stealing of credentials, the malware accesses Uber app’s deep links to show the current location of the user, which gives away the feeling that user is using legitimate Uber app. Dinesh Venkatesan, the threat analysis engineer at Symantec, stated:
“To avoid alarming the user, the malware displays a screen of the legitimate app that shows the user’s current location, which would not normally arouse suspicion because that’s what’s expected of the actual app.”
The malware is not as widespread as we might believe it to be and a majority of Uber users are protected from it. However, it malware affects users in Russian-speaking countries at the moment and widescale distribution of the campaign is currently not expected by researchers.
