The Android.Fakeapp Trojan has been around for years, but the latest variant is one of the most sinister we’ve ever seen. On Wednesday, Symantec warned Android users in a blog post that one of the latest versions of the malware spoofs the user interface of the Uber app and pops up in regular intervals on the user’s screen until they enter their login information. Once the user ID and password have been entered, it sends the data to a remote server.
To make matters worse, the malware then tries to cover up the intrusion by displaying a screen from the actual Uber app that shows the current location of the user. If you’ve used Uber before, you know that the first thing you see when you open the app is your location on the map. This trick could convince users that nothing is wrong.
Symantec explains that in order to show the user this screen, the malware has to take advantage of “the deep link URL of the legitimate app that starts the app’s Ride Request activity,” which then displays the current location of the user as the pickup point. At this point, the thieves would already have your information, but by convincing you that you’re using the legitimate app, you might refrain from changing your password until it’s too late.
Uber provided the following statement to Engadget regarding the threat of malware:
Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources. However, we want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password.
In other words (and as always), don’t download an app on your Android device from anywhere but the Google Play store. Doing so will put you at risk, and before you know it, you could find your Uber account stolen and sold to the highest bidder. Keep your software updated, pay attention to permission requests and stay on the Play store.