Malware writes are a shifty bunch. If anyone needs further proof of that, Symantec has it, in the form of a warning over a new Android “Fakeapp” malware variant that spoofs Uber, the popular ridesharing service, to cover its tracks. While it may look innocent, the Fakeapp malware pulls its usual dirty tricks, including the theft of personal and sensitive information such as credit card details.
“The Fakeapp variant we found had a spoofed Uber application user interface (UI) which pops up on the user’s device screen in regular intervals until the user gets tricked into entering their Uber ID (typically the registered phone number) and password,” Symantec explains.
After receiving the pop-up, Android users who fall for the ruse enter in their login details, which ten get sent to a remote server. To the user, it seems like they’re simply logging into Uber. The malware reinforces this even after the fact by displaying a screen of the legitimate app complete with the user’s current location. Symantec points out that this would not normally arouse suspicion because that’s what Uber users expect to see when logging in.
“This is where creators of this Fakeapp variant got creative. To show the said screen, the malware uses the deep link URI of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point,” Symantec added.
Deep links consist of URLs that navigate users to a specific part of an app. It is like a web URL, but for an application. The Fakeapp variant that Symantec discovered takes advantage of deep linking to cover its tracks. It’s an effective ploy, and this particular strain preys on millions of Uber users around the world.
The typical recommendations apply—Symantec’s advice is to make sure your software is up to date, refrain from downloading apps from unfamiliar sites, pay close attention to the permissions that apps request, make frequent backups, and of course it pitches installing a mobile security app such as Norton.