Rare Malware Targeting Uber's Android App Uncovered , II Malware Impersonates Uber App on Android to Steal Data , II Should I Change My Uber Password? Android Malware Stealing Uber Credentials

Malware discovered by Symantec researchers sneakily spoofs Uber's Android app and harvests users' passwords, allowing attackers to take over the affected users' accounts. The malware isn't widespread, though, and most Uber users are not effected.

In order to steal a user's login information, the malware pops up on-screen regularly and prompts the user to enter their Uber username and password. Once a user falls for the attack and enters their information, it gets swept up by the attacker.

To cover up the credential theft, this malware uses deep links to Uber's legitimate app to display the user's current location - making it appear as though the user is accessing the Uber app instead of a malicious fake.

Deep linking routes users to specific content within an app (think of it as clicking the link to this story rather than a link to the Gizmodo home page). In this case, Symantec found that attackers used deep links to pull a rider's actual location information from Uber.

"To avoid alarming the user, the malware displays a screen of the legitimate app that shows the user's current location, which would not normally arouse suspicion because that's what's expected of the actual app," Symantec threat analysis engineer Dinesh Venkatesan wrote in a statement. "This case again demonstrates malware authors' neverending quest for finding new social engineering techniques to trick and steal from unwitting users."

However, the vast majority of Uber users are not at risk. The malware tries to pass itself off as the Uber app, but it's not available in the Google Play store and users would have to download from another source. "Users are likely in Russian-speaking countries in limited number. We don't anticipate such an app to be in widescale distribution," a Symantec spokesperson said.

Still, it's a good reminder for users not to download apps from untrusted sources - sticking to the Google Play store is a good idea - and to expect sophistication from malicious apps.

"Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources," an Uber spokesperson said. "However, we want to protect our users even if they make an honest mistake and that's why we put a collection of security controls and systems in place to help detect and block unauthorised logins even if you accidentally give away your password."

.

Security researchers at Symantec have discovered a new variant of Android malware that is aiming tosteal Uber passwords and login credentials.

The malware is a new variation on Android.Fakeapp, a common malware targeting Android devices. Previous versions of the attack have aimed to steal credit card numbers and other personal information, but the latest variant is specifically targeting Uber users.

The focus on Uber passwords makes sense for the attackers purely in terms of the number of users who could be affected by an attack. Uber is one of the most popular apps in the Google Play Store and has been installed on as many as 500 million devices worldwide. It also has a global reach, as Uber operates in more than 80 countries around the world.

Android.Fakeapp has been around since at least 2012, and the latest variant operates much the same as previous versions of the attack. The malware is most often installed when users download an infected app posing as a legitimate application. These apps are generally found in third-party app stores that do not offer the same protection as the Google Play Store—though malware has snuck through the cracks of Google’s firewall on several occasions.

Once installed on a device, Android.Fakeapp spoofs the Uber application user interface that would appear when the user opens Uber. The screen asks the user to enter their Uber login ID—either a phone number or email address—and password.

When the user enters the information, it isn’t actually providing it to Uber; the malware is using the fake interface to steal the login information from the victim. When the user goes to login with the information, it is sent to a remote server controlled by the attackers.

After hijacking the victim’s username and password, the malware makes an effort to hide its behavior by directing users to another screen that appears as though it’s from the legitimate Uber app. It displays a screen that shows the user’s location like they would see upon opening Uber to order a ride.

While this type of obfuscation isn’t necessarily uncommon, Symantec notes that the creators of the Fakeapp.Android variant “got creative” with the process.

In order to display the Uber screen where users can order a ride, the malware uses what is called a deep link URL from the legitimate app that contains information about the user’s Ride Request activity. It also preloads the victim’s current location as the pickup point.

Like most URLs, deep links direct to a specific piece of content. Instead of a webpage like a standard URL, a deep link goes directly to a specific piece of information found in an app. Deep linking is typically used to launch a specific page or function within an app. It’s like directing a person to a specific webpage on a site rather than sending them to the homepage of the site and requiring them to click through to find the page.

In order to avoid installing Android.Fakeapp and other malware that could steal passwords, Symantec researchers recommend keeping Android software up to date, avoid downloading apps from sources outside of the Google Play Store and install a trusted mobile security app that can help detect threats before they can execute.

Of course, many Uber passwords have already been exposed on at least one occasion. The companysuffered a security breach in 2016 that compromised as many as 57 million users and hid the breach for more than a year.

As soon as there were smartphones, there was malware for smartphones. The wealth of personal data on a mobile device makes it a tempting target for internet ne’er-do-wells, and they’re getting quite clever when it comes to fooling users into compromising their security. The latest malware scare is a nasty bit of code for Android called FakeApp. As the name implies, it pretends to be another app to steal data. In this case, it’s pretending to be Uber.

The FakeApp trojan was discovered by security firm Symantec through its regular monitoring of Android apps. The trojan takes over the user’s screen at regular intervals, interrupting what you’re doing. Usually being noticed is not want malware wants, but this trojan is using a bit of social engineering to trick users into willingly giving away their personal data.

When FakeApp appears, it impersonates the Uber app. It insists the user needs to log into the app with their registered phone number and password. Anyone who inputs that data will be giving data away to the bad guys. The theft is covered up by the app using Uber’s deep linking URI to pull up the “request ride” activity next. That makes everything seem legitimate, but in reality, the user’s data was transmitted to a remote server.

Once the malware creators have a list of phone numbers, they can sell them to other scammers. Passwords are potentially more valuable, as many people don’t use unique logins like they should and an Uber password could get the thieves into plenty of other accounts. When coupled with a phone number and SIM hijacking, the scammers might even be able to get into accounts protected with 2-factor authentication.

The good news here is it’s not easy to get bitten by FakeApp. It’s a standard Android app — it’s not using any critical security flaws to infiltrate your system. That means you need to download an APK file containing FakeApp, change your system settings to allow “unknown sources,” and then open the APK to manually install.

Symantec says the best way to avoid this threat is simply to make sure you aren’t downloading apps from outside the Google Play Store. Shady third-party app repositories specializing in pirated apps are only places FakeApp has been detected. Steer clear of those places and don’t install suspicious APKs, and you’ll be fine. If you do think you’ve got FakeApp on your phone, a factory reset ought to take care of it.

Rare Malware Targeting Uber's Android App Uncovered , II Malware Impersonates Uber App on Android to Steal Data , II Should I Change My Uber Password? Android Malware Stealing Uber Credentials 

Android‬, ‪Uber‬, ‪Malware‬, ‪Symantec‬, ‪Google Play‬‬, FakeApp,