Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 PM
Connect Directly

Fake Uber App Hides Credential Theft with 'Deep Links'

Researchers discover a fake Uber application is tricking Android users into sharing their credentials with hackers.

A new form of Android malware tricks users into entering their credentials on a fake Uber app that connects to the real one.

Symantec analysts discovered the malware - which hides its data theft via so-called "deep links" that connect the phony app to the legitimate Uber app - last year while researching new variants of Android.Fakeapp, or malicious fake apps. There are thousands of fake apps, says Vikram Thakur, technical director of security response at Symantec. All are built with different motivations: data theft, credential theft, phishing, battery drainage, photo theft.

This particular fake app is attempting to lift Uber credentials. Its UI regularly pops up on victims' screens until they enter their Uber ID (usually phone number) and password. Once the user clicks "Next," it sends their credentials to an attacker's remote server, Thakur explains.

"From a technical standpoint, we saw the author of the malicious app trying to use what we call deep links," he says. Deep links are URLs that link to specific content in an app: Developers embed them so users can directly launch an application from a webpage or another app. For example, a deep link in a news app might directly link to a weather app when clicked.

The "Next" button users press after entering their Uber credentials into the spoofed UI is a deep link, which connects them to the legitimate Uber app. As their information is sent to the control server, users are directed to Uber's Ride Request page with their current location loaded. It's "a clever mechanism" the attacker is using to cover their tracks, Thakur says.

What's key here is not the scope of the attack but the strategy behind it. "This is the first time we've one of these fake applications making use of deep links," he notes.

Attackers have always evolved with available technology, Thakur continues. Once deep links became common in mobile apps, it was "only a matter of time" before they started to use them for nefarious purposes. It's a tradeoff, he says. Users and developers benefit from the convenience of new tech but have the downside of cybercriminals taking advantage.

This specific application was tailored toward Russian-speaking users and has not reached many people. Symantec's researchers only have visibility into devices on which its products are installed; from that perspective, the number of people who have downloaded this app is small.

Legitimate app stores like Google Play don't host the spoofed app, so anyone who downloads it would have to access a third-party site. Thakur says the attacker may have also attempted to peddle this app as an update to another legitimate application like Flash.

There are two reasons why someone would steal Uber credentials. An attacker may want to sell them on the Dark Web so buyers get free rides, or provide access to a broader set of data. Uber IDs can be used to access someone's number of rides, home address, email address, and other personal details.

"It plays an avid piece in one's identity," says Thakur. "When it comes to identity theft, there is a lot more information available about a certain individual, including their ride sharing or travel habits … stealing Uber credentials might be an extra piece into one's identity when they are sold on the underground."

Android users should limit their app downloads to stores where they have established trust, he explains. Vendors should note that deep links are not only used for legitimate purposes by legitimate authors. Users should also pay attention to notifications. If you're prompted to enter Uber credentials while in another app, there's a "high likelihood" you have a malicious app.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...