Advertisment

Android Malware Steals Uber Credentials and Covers Up the Heist Using Deep Links

The latest Android.Fakeapp variant steals user credentials then uses deep links to the legitimate Uber app to hide the fact.

author-image
PCQ Bureau
New Update
Android Malware 1

The latest Android.Fakeapp variant steals user credentials then uses deep links to the legitimate Uber app to hide the fact.

Advertisment

While analyzing the most recent Android.Fakeapp malware variants, we came across a sample that was using a quite novel and different monetization technique, in addition to the regular overlay tricks asking users to enter their credit card details. This one would be of particular concern to Uber users on Android, which numbers in the millions worldwide.

The Fakeapp variant we found had a spoofed Uber application user interface (UI) which pops up on the user’s device screen in regular intervals until the user gets tricked into entering their Uber ID (typically the registered phone number) and password.

Figure 1 shows the fake Uber app UI displayed by the malware to get the user to enter their details. Once the user clicks the Next button (->), the malware sends the user ID and password to its remote server.

Advertisment
Android Malware

Figure 1. Fake Uber app screens for users to enter their registered mobile number and password

Next, the malware tries to cover up the heist. To avoid alarming the user, the malware displays a screen of the legitimate app that shows the user’s current location, which would not normally arouse suspicion because that’s what’s expected of the actual app.

Advertisment

"To avoid alarming the user, the malware displays a screen of the legitimate Uber app that shows the user’s current location."

This is where creators of this Fakeapp variant got creative. To show the said screen, the malware uses the deep link URI of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point.

Android
Advertisment

Figure 2. Screen of the legitimate app showing the user’s current location

To show the said screen, the malware uses the deep link URI of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point.

Deep links are URLs that take users directly to specific content in an app. Deep linking in Android is a way to identify a specific piece of content or functionality inside an app. It is much like a web URL, but for applications. For example, the Uber app has the following deep link URI for its Ride Request activity:

Advertisment
  • uber://?action=setPickup&pickup=my_location

Figure 3 illustrates the code snippet of the malware that fires the VIEW intent with the Ride Request deep link URI after exfiltrating the Uber credentials to its remote server.

Android1
Advertisment

This case again demonstrates malware authors’ neverending quest for finding new social engineering techniques to trick and steal from unwitting users.

Mitigation

Symantec recommends users follow these best practices to stay protected from mobile threats:

  • Keep your software up to date
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Pay close attention to the permissions requested by apps
  • Install a suitable mobile security app, such as Norton, to protect your device and data
  • Make frequent backups of important data
android-malware android-fakeapp uber-app
Advertisment