A new variant of the long-running Android.Fakeapp malware is imitating the Uber app’s interface in order to gain the login credentials of users.

According to Symantec, the trojan horse has a spoof version of the Uber app which periodically pops up on the user’s device until it tricks them into entering their Uber ID and password.

Once the user has entered their details, to avoid them becoming suspicious, the malware intelligently displays a legitimate screen from the app that shows the user’s location and asks where they want to request a journey to. The malicious software does this through a process called ‘deep linking’ – which is when users a sent to a specific part of an app, as opposed to launching the full app.

“To show the said screen, the malware uses the deep link URI of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point,” said Dinesh Venkatesan, principal threat analysis engineer at Symantec. “Deep links are URLs that take users directly to specific content in an app. Deep linking in Android is a way to identify a specific piece of content or functionality inside an app. It is much like a web URL, but for applications.”

In order to fight against this variation of Fakeapp and others, Symantec recommends people keep their software up-to-date, only download apps from trusted sources, pay attention to the permissions requested by apps, install mobile security, and frequently backup important data.