As soon as there were smartphones, there was malware for smartphones. The wealth of personal data on a mobile device makes it a tempting target for internet ne’er-do-wells, and they’re getting quite clever when it comes to fooling users into compromising their security. The latest malware scare is a nasty bit of code for Android called FakeApp. As the name implies, it pretends to be another app to steal data. In this case, it’s pretending to be Uber.
The FakeApp trojan was discovered by security firm Symantec through its regular monitoring of Android apps. The trojan takes over the user’s screen at regular intervals, interrupting what you’re doing. Usually being noticed is not want malware wants, but this trojan is using a bit of social engineering to trick users into willingly giving away their personal data.
When FakeApp appears, it impersonates the Uber app. It insists the user needs to log into the app with their registered phone number and password. Anyone who inputs that data will be giving data away to the bad guys. The theft is covered up by the app using Uber’s deep linking URI to pull up the “request ride” activity next. That makes everything seem legitimate, but in reality, the user’s data was transmitted to a remote server.
Once the malware creators have a list of phone numbers, they can sell them to other scammers. Passwords are potentially more valuable, as many people don’t use unique logins like they should and an Uber password could get the thieves into plenty of other accounts. When coupled with a phone number and SIM hijacking, the scammers might even be able to get into accounts protected with 2-factor authentication.
The good news here is it’s not easy to get bitten by FakeApp. It’s a standard Android app — it’s not using any critical security flaws to infiltrate your system. That means you need to download an APK file containing FakeApp, change your system settings to allow “unknown sources,” and then open the APK to manually install.
Symantec says the best way to avoid this threat is simply to make sure you aren’t downloading apps from outside the Google Play Store. Shady third-party app repositories specializing in pirated apps are only places FakeApp has been detected. Steer clear of those places and don’t install suspicious APKs, and you’ll be fine. If you do think you’ve got FakeApp on your phone, a factory reset ought to take care of it.