Skip to main content

Latest Android Malware Mimics Uber, WhatsApp

Savvy Android users already know to avoid dodgy copycat apps from outside the Google Play Store. As long as they're using the real versions of banking, messaging and transportation apps, their information is usually safe, after all.

Or so they thought. A new European malware campaign sneaks a disreputable overlay over perfectly normal apps such as WhatsApp, WeChat, Uber and even the Google Play app itself, then proceeds to collect a user's personal information, up to and including their credit card numbers. Even worse: While the malware is relatively easy to spot, getting rid of it is much harder.

Credit: Uber

(Image credit: Uber)

FireEye, a security firm based in Milpitas, California, wrote about the issue on its blog, explaining that the company first became aware of the issue back in April. While looking into the RuMMS smishing (SMS phishing, or tricking people into clicking on dodgy links in text messages) campaign in Russia, the researchers found traces of similar activity in Denmark and Italy.

Further research revealed the app overlay malware was present in Austria and Germany, with potential infections in Luxembourg, Spain, Sweden, Norway, the Netherlands, Greece, Turkey and the United Kingdom. (Apparently, the scammers did not realize that the U.K. prefers to distance itself from the rest of Europe.)

MORE: Best Antivirus Software and Apps

Here's how the scam works: First, a user gets a text message that sounds like something important. One message read, "We could not deliver your order. Please check your shipping information here," then proceeds to list a bit.ly link.

While the message is vague, and most experienced users would know better than to click on it, confirming shipping details for an order via text is hardly an impossibility. Furthermore, because of the bit.ly link, the URL could be anything, either legitimate or unscrupulous.

In this case, it's the latter. The SMS hyperlink leads users to a variety of malicious download sites all around Europe. While there's no hard data on how many people the malware has infected, unwitting victims have followed the links at least 161,349 times. Having a good antivirus program on your Android phone may not do you any good here: FireEye determined that only 6 out of 54 security programs were able to identify the software as malicious.

Not that the links will tell you they're downloading software, of course. Although the malware initially targeted banking apps, FireEye reported it targeting Uber, WhatsApp and the Chinese messaging app WeChat as well. Whenever you open one of those legitimate apps, the malware opens an identical screen of its own that perfectly overlays the real one -- complete with form fields.

As you enter your username, password, bank-account number or credit card number into what you assume to be the real app, the malware app collects it and transmits it back to its overlords.

Who are the cybercriminals behind this campaign, exactly? It's not clear, but they've rented server space across Europe and the Middle East. The stolen information finds its way to servers in the United Arab Emirates, Germany, Latvia, Italy and the Netherlands. The masterminds seem to be fluent in Danish, and a lot of their potential victims are also Danish.

Since the malware isn't easily detected by antivirus programs, the best way to protect yourself is to go into your Android security settings and make sure that the option to install software from "Unknown sources" is disabled. That will prevent drive-by installations from non-Google sources.

Next, you should systemically ignore every text message with a hyperlink from an unfamiliar number. (If it's from a familiar number, then first verify it before clicking.) If you really have a pending order, or a problem with a financial transaction, or whatever else the SMS claims, it's best to call the institution directly and check for yourself.