Android users being targeted by fake Uber app04 Jan 2018
The security firm has analysed a recent version of the Android.Fakeapp malware variant, and found that hackers are tricking users into entering their passwords and phone numbers onto a fake version of Uber.
Millions of Android users around the world use Uber, meaning the discovery could affect a significant number of phone users globally.
The malware works by bringing up a screen on the user’s phone that matches the Uber user interface. It asks for a phone number and the user’s password, in order to log into the app. Once entered, these details are sent to the malware’s remote server.
It is at this point that the malware does something relatively unusual, according to Symantec. In order to avoid arousing suspicion, once details have been entered, the malware takes the user through to a legitimate Uber screen, showing his or her location, which is the expected result after logging in.
Clearly, as the malware is not the legitimate Uber app, it has to perform some trickery to get to this point. It does this, Symantec says, by using the ‘deep link URI of the legitimate app.’
A URI is similar to URLs used on the web, but for an app. These deep links take users to a specific piece of content within the app. For instance, in this case, the malware takes the user to Uber’s ride request page by using the URI ‘uber://?action=setPickup&pickup=my_location’.
Given the smart social engineering carried out through this malware, Symantec recommends making frequent backups, keeping software up to date, and paying attention to the types of permissions requested by apps.
This snippet of code shows the process through which the malware takes the user’s Uber credentials across to its server, then instructs Android to display the Uber ride request page.