The FakeApp trojan has returned with new tricks to stop users noticing they've been duped.
The malware users a fake Uber overlay to steal user credentials. Image: Getty
Uber users with Android smartphones are being targeted with malware that shows victims a fake version of the ride-hailing service, in order to steal their credentials.
The malware is a variant of FakeApp, an Android trojan that attackers have been using to display advertisements and collect information from compromised devices since 2012.
Now the malware has set its sights on stealing the user IDs and passwords of Uber accounts.
Uncovered by researchers at Symantec, the malware displays a spoofed version of the Uber app, encouraging the user to enter their user ID in the form of their registered phone number and password. Once this information is entered, it sends the information to a remote server.
It's likely the attackers will either attempt to exploit this stolen information for their own gain, performing scams, or try to sell it to others on dark web underground forums.
Whatever their ultimate aim in stealing Uber credentials, those behind FakeApp have gone out of their way to ensure this version of the malware hides its tracks and doesn't arouse suspicion from the user.
In order to do thus, the malware shows the user a screen of the legitimate Uber app which displays their current location - which is what happens with the real Uber when the user logs in to request a ride.
The attackers achieve this by using deep links within the Uber application in order to specifically redirect to the Ride Request activity section of the app - all while the victim remains none the wiser that they've been duped by a malicious version of the app.
"This case again demonstrates malware authors' never-ending quest for finding new social engineering techniques to trick and steal from unwitting users," said Dinesh Venkatesan, principal threat analysis engineer at Symantec.
The malware isn't downloaded from the Google Play store itself, but rather comes from downloading applications from third-party websites, and isn't thought to be widespread.
"Users are likely in Russian-speaking countries in limited number. We don't anticipate such an app to be in wide scale distribution," Venkatesan told ZDNet.
In order to protect against falling victim to FakeApp, Uber recommends that users only download apps from the official Android marketplace.
"Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources," an Uber spokesperson told ZDNet.
The company also said it has safeguards in place to ensure that users' accounts are protected, and can't be abused by hackers and other unauthorized users.
"We want to protect our users even if they make an honest mistake and that's why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password," Uber said.
In order to have the greatest chance of staying safe from malware, Symantec recommends Android users stick to downloading apps from Google Play - although it isn't unknown for malicious apps to find their way into the official Android store.