Shulou(Shulou.com)06/02 Report--

This article is to share with you the content of an example analysis of Android malware stealing Uber credentials. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Recently, a new variant of Android malware, Android.Fakeapp, has been disclosed by researchers. It is understood that the main goal of the Android malware is to steal the credential information of Uber users, and then use the deep links of legitimate Uber app to hide the truth.

When analyzing the latest Android.Fakeapp malware variants, a sample caught our attention. The sample uses a rather novel and different technique that requires users to enter their credit card details. You know, there are millions of Android users around the world, which is of particular concern to Android phone users who use Uber!

In addition, after further analysis, we found that the Fakeapp variant has a deceptive Uber app user interface (UI) that pops up periodically on the user's device screen until the user is tricked into entering his or her Uber ID (usually a registered phone number) and password.

Figure 1 shows the fake Uber app UI popped up by the malware, which is used to trick users into entering their details. Once the user is prompted to enter the relevant content and click the "next" button (- >), the malware will send the user's ID and password to their remote server.

Then, to avoid attracting the user's attention, the malware jumps back to the legitimate interface of the application and displays the user's current location, which usually does not arouse the user's suspicion.

This is where the Fakeapp variant is very creative. In order to display the interface, the malware uses a deep link of the legitimate app to initiate the Ride Request of the app, using the current location of the victim as the preload point.

Deep links are URLs that take users directly to specific content in the application. Deep links in Android are a way to identify specific content or functions within an application.

But for an application, it's like a web URL. For example, Uber app's Ride Request activity has the following deep link URI:

Uber://?action=setPickup&pickup=my_location

Figure 3 shows a partial code snippet of malware that, after sending Uber credentials to its remote server, uses the Ride Request deep link URI to trigger VIEW intent.

This case shows once again that malware writers are constantly innovating and improving their spoofing and theft technologies, and it is also a wake-up call for the security of our ordinary users' mobile applications!'

Safety recommendation

Symantec recommends that users follow the following best security practices to prevent mobile security threats:

Update or upgrade the latest version of the application the first time

Avoid downloading applications from unfamiliar websites and install only applications from trusted sources

Pay close attention to the relevant request permissions of the application

Install an appropriate mobile security application, such as Norton, to secure your device and data

Back up important data regularly

Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.