A credentials-stealing malware program disguised as an Android app was recently found spoofing an Uber user interface, and even leveraging a deep link uniform resource identifier from the actual ride-sharing app in order to appear legitimate.

According to a Jan. 3 blog post from Symantec Corporation, the variant of Android.FakeApp malware periodically displays an Uber UI on infected users' device screens in regular intervals until they enter their Uber ID and password. Generally, the ID consists of the user's registered phone number.

A screenshot of the fraudulent interface that was shown on Symantec's website displays what appears to be Cyrillic characters, suggesting the fake app is targeting Russians or other Slavic language-speakers. After victims enter their information and click the “Next” button, the malware communicates this data to a remote command-and-control server.

To appear on the up and up, the malware uses an actual Uber deep link URI to launch the legit app's Ride Request activity, which shows the current location of the victim as a preset pick-up point. As Symantec explains in the post, deep links are URLs that send users directly to specific content within an app – in this case, a screen of the legitimate app that users would expect to see.

“This case again demonstrates malware authors' neverending quest for finding new social engineering techniques to trick and steal from unwitting users,” writes blog post author Dinesh Venkatesan, principal threat analysis engineer at Symantec, who called the deep link tactic a “creative” maneuver.