Malware discovered by Symantec researchers sneakily spoofs Uber’s Android app and harvests users’ passwords, allowing attackers to take over the affected users’ accounts. The malware isn’t widespread, though, and most Uber users are not effected.
In order to steal a user’s login information, the malware pops up on-screen regularly and prompts the user to enter their Uber username and password. Once a user falls for the attack and enters their information, it gets swept up by the attacker.
To cover up the credential theft, this malware uses deep links to Uber’s legitimate app to display the user’s current location—making it appear as though the user is accessing the Uber app instead of a malicious fake.
Deep linking routes users to specific content within an app (think of it as clicking the link to this story rather than a link to the Gizmodo home page). In this case, Symantec found that attackers used deep links to pull a rider’s actual location information from Uber.
“To avoid alarming the user, the malware displays a screen of the legitimate app that shows the user’s current location, which would not normally arouse suspicion because that’s what’s expected of the actual app,” Symantec threat analysis engineer Dinesh Venkatesan wrote in a statement. “This case again demonstrates malware authors’ never-ending quest for finding new social engineering techniques to trick and steal from unwitting users.”
However, the vast majority of Uber users are not at risk. The malware tries to pass itself off as the Uber app, but it’s not available in the Google Play store and users would have to download from another source. “Users are likely in Russian-speaking countries in limited number. We don’t anticipate such an app to be in widescale distribution,” a Symantec spokesperson said.
Still, it’s a good reminder for users not to download apps from untrusted sources—sticking to the Google Play store is a good idea—and to expect sophistication from malicious apps.
“Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources,” an Uber spokesperson said. “However, we want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorised logins even if you accidentally give away your password.”