Just as Uber was planning to rebound and put 2017 in the backseat, it seems to be caught up in the rubble of another calamity – but at least this time the company is not at fault. Security firm Symantec has discovered a fake Uber app making rounds on the APK stores online that is typically used to steal credentials of users.

The malicious app is an impressively mimicked version of the original Uber app and doesn’t give users the slightest hint about its mischievous nature. Instead of hurrying to get the job done, the rogue app uses deep links to Uber’s interface, and thus, tricks users into believing that they are using the legit app.

Fake Uber app’s interface with striking resemblance to the original app

The camouflaged malware randomly wakes from its deep sleep to prompt users to enter their username and password and then continues to function just like the original app. After a successful login, the app shows the users’ current location by pulling data from the real app using Uber’s API. This does not trigger instant panic as the infected user has no reason to be suspicious.

The user ID and password are sent directly to hackers who try to hack other accounts associated with this registered email or mobile number along with the same password. The gathered credentials are also sold to other hackers and third-parties through the Dark Web.

Symantec notes that the app is not available on the Google Play Store, and insists that users must avoid sideloading apps from unauthorized sources, especially those originating in Russia, as the company revealed the app is primarily in Russian.

This case again demonstrates malware authors’ neverending quest for finding new social engineering techniques to trick and steal from unwitting users.

Likewise, Uber has issued a warning to its users, urging them to download apps only from “trusted sources”.

We want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password.