Malicious Android software imitates Uber's layout to trick you into giving up your login details
- A new variant of a long-running piece of Android malware now imitates parts of Uber's app to trick users into giving away their login credentials.
- Android Fakeapp malware poses as a legitimate app, then sniffs out your data and shows you ads for profit.
- Security firm Symantec described the Uber mimicry as a "novel monetisation technique."
- But as long as you stick to Android apps from Google's Play Store, you're pretty safe.
Long-running Android malware "Fakeapp" has a new tack to trick people into giving away confidential login information, by imitating Uber's user interface.
We first saw the news via Engadget.
Fakeapp is a trojan horse for Android which pretends to be a legitimate application and, when downloaded, also downloads additional files that sniff out your data and display you ads for profit.
According to Symantec, a new variant saw Fakeapp spoofing the layout of Uber's app. This would pop up on the user's screen periodically in an effort to get them to enter their confidential login details, such as their phone number and password.
Here's what it looks like:
The malware creators then got "creative" according to Symantec. Once you've entered your details, the malware deep links to a page from the legitimate Uber app - specifically the screen that shows your location and asks you where you want to go. Deep linking on mobile means linking to a specific bit of an app, rather than simply just launching the app.
As Symantec put it: "To show the said screen, the malware uses the deep link URI of the legitimate app that starts the app's Ride Request activity, with the current location of the victim preloaded as the pickup point.
"Deep links are URLs that take users directly to specific content in an app. Deep linking in Android is a way to identify a specific piece of content or functionality inside an app. It is much like a web URL, but for applications."
The risk of any of this affecting you is pretty low, especially if you stick to downloading apps from Google's Play Store, rather than a third-party app store. Both Symantec and McAfee classify Android FakeApp as low risk too.
An Uber spokesman told Engadget said the firm would probably spot unauthorised logins: "Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources. However, we want to protect our users even if they make an honest mistake and that's why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password."