The Fakeapp trojan has been around on Android for a few years now, but a new variant has been discovered by Symantec that disguises itself as the Uber app.
After downloading the malware - from a non-Google source - Fakeapp will periodically appear on the victim's screen and prompt for their Uber login details, like their phone number and password. Those can then be sold on the black market, or leveraged to compromise other accounts.
The app doesn't stop there, though. To avoid suspicion, which might prompt a password change, Fakeapp then deep links to the actual Uber app.
Deep linking is used to directly open a specific part of an app, rather than directly launching it; think of it like a web URL for applications. In this case, giving Fakeapp your log-in information will open Uber's Ride Request screen, with the victim's location preloaded as the pickup point.
Symantec's advice is, predictably, not to download apps from anywhere except the Google Play store and to use anti-malware protection on your Android device.
Uber reassured users that it would probably be able to unauthorised logins, telling Engadget:
‘Because this phishing technique requires consumers to first download a malicious app from outside the official Play store, we recommend only downloading apps from trusted sources. However, we want to protect our users even if they make an honest mistake and that's why we put a collection of security controls and systems in place to help detect and block unauthorised logins even if you accidentally give away your password.'
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment