Fake Uber App Steals Credentials

Security professionals and Uber are warning users of a fake Android app pretending to be the legitimate ride-sharing app, Uber. The FakeApp Trojan is now being used to mimic the behaviors of Uber. The ultimate goal of this malware is to steal user credentials for those Uber accounts. Researchers at Symantec discovered this and found that when FakeApp is doing its thing, it displays a spoofed version of Uber where users are encouraged to enter their user IDs (in the form of their phone numbers) and passwords. If it is entered, it gets sent to a remote server.

The researchers at Symantec, say that the fake Uber is downloaded from third party locations. In other words, it’s sideloaded. So, the lesson here is to avoid getting your applications from sites other than official app store. While it isn’t guaranteed that all the products in those stores are free of malware, they do go through serious scrutiny before being allowed into the official stores. Sideloaded apps don’t necessarily have to endure this type of investigation. And the owners of the app stores are very quick to react to getting bad apps out of their stores as soon as they are notified they’re in there. Third parties may not be so expedient.

Uber does say it has implemented security measures to prevent re-use of credentials. For example, it’s been attempting to implement multi-factor authentication for years with mixed results. However, Uber information has been found for sale on the Dark Web for up to $1 per record. The biggest risk for users is success with password reuse. Hackers will try over and over on various sites in hopes that the credentials will eventually work and result in a payday.

Therefore, it’s important to have a unique login ID and password for every single online account. Yes, it can be cumbersome, but there are some ways to remember.

You can write them down; although, this is the least preferred way of keeping tabs on them. If you do this, be sure to keep your list in a completely separate location from any device that is internet-connected. You can also use clues to trigger your memory, rather than writing out the passwords.

You can also use a base password or phrase and add letters from the website to create unique passwords for every site. For example, make your base “X9Uz1#” and add the first two characters of the site to the beginning, end, or as bookends. For example, if the site you are logging into is “XYZCompany,” your password would become “X9Uz1#xy.” Anther account may be on “abcstore.” Your password for that will become “X9Uz1#ab.” Then change your strategy every six months or so when you change your passwords.

Remember that just because a bit of malware is reported to be specific to a certain operating system, doesn’t mean it’ll stay that way by any stretch of the imagination. Malware authors revise and expand their wares regularly. Just because this one targets Android, doesn’t mean they aren’t actively working on an Apple version too.

Stickley on Security
March 6, 2018