Android malware steals UBER credentials and covers up the heist using Deep Links

Norton has discovered a new malware that steals financial credentials by having deep links to the UBER app.

Data security has become a major concern these days — thanks to a host of lethal malware attacks in 2017. Despite software developers doing their bit to make their platforms as hack-proof as possible, people with malicious intentions make out ways to find vulnerabilities and exploit them to their advantages. Norton has had a similar discovery with the world’s most popular operating system — Android. This time though, its related to one particular app that a majority of smartphone users might use daily — UBER.

The people at Norton came across a sample while analysing the most recent Android.Fakeapp malware variants. It was using a different monetisation technique, in addition to the regular overlay tricks asking users to enter their credit card details. This Fakeapp variant had a spoofed UBER application user interface (UI) which pops up on the user’s device screen in regular intervals until the user gets tricked into entering their UBER ID (typically the registered phone number) and password.

Once the user clicks the Next button (->), the malware sends the user ID and password to its remote server. To prevent any doubt, the malware tries to cover up the heist by displaying a screen of the legitimate app that shows the user’s current location. This wouldn’t normally arouse suspicion because that’s what’s expected of the actual app.

Commenting on the issue, an Uber spokesperson said: “Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources. However, we want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorised logins even if you accidentally give away your password.”

However, Symantec says that the creators of the Fakeapp variant focused on small details to mask their malware. They used the deep link URI of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point. Deep links are URLs that take users directly to specific content in an app. Deep linking in Android is a way to identify a specific piece of content or functionality inside an app. It is much like a web URL, but for applications. Therefore, the user is tricked into giving out his ID and password without even considering the fact that they are being spoofed.

This shows that malware authors never give up for finding new social engineering techniques to trick and steal from unwitting users. However, users can always do stuff on their part to keep their data safe from prying eyes. Symantec suggests users follow some of these practices to stay protected from mobile threats:

  • Keep your software up to date
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Pay close attention to the permissions requested by apps
  • Install a suitable mobile security app, such as Norton, to protect your device and data
  • Make frequent backups of important data


Next Story