A modification of the mobile banking Trojan, FakeToken, has been developed and is able to steal credentials from popular taxi and ride-sharing mobile applications.

This is according to Kaspersky Lab researchers, who say they have discovered the new version, which performs live tracking of apps and, when the user runs a specified Android app, overlays this with its phishing window to steal the victim's bank card details.

The FakeToken is Android malware that contains man-in-the-middle functionality, to hijack two-factor authentication tokens and can be remotely controlled to grab the initial banking password directly from the infected mobile device.

"The Trojan, which initially targeted banking apps, has an identical interface, with the same colour schemes and logos, and creates an instant and completely invisible overlay of an app," says Kaspersky Lab's research.

"Criminals are now targeting the most popular international taxi and ride-sharing services with this malware. Moreover, the Trojan steals all incoming SMS messages by redirecting them to its command and control servers, allowing criminals to get access to one-time verification passwords sent by a bank, or other messages sent by taxi and ride-sharing services." Among other things, this FakeToken modification can monitor users' calls, record them, and transmit the data to the command and control servers, adds Kaspersky Lab.

"The fact that cyber criminals have expanded their activities from financial applications to other areas, including taxi and ride-sharing services, means the developers of these services may want to start paying more attention to the protection of their users," says Viktor Chebyshev, security expert at Kaspersky Lab.

"The banking industry is already familiar with fraud schemes and tricks, and its previous response involved the implementation of security technologies in apps that significantly reduced the risk of theft of critical financial data. Perhaps now it is time for other services that are working with financial data to follow suit." Researchers have also detected FakeToken attacks on other popular mobile applications, such as travel and hotel booking apps, apps for traffic fine payments, Android Pay and the Google Play Market.

According to security software company Trend Micro, FakeToken first emerged in 2013 as bank information-stealing mobile malware. It misuses Android's device administration application program interface, commonly used by enterprise apps, to change the device's passcode and lock its screen.

"FakeToken's advanced ruse is notable given the worldwide popularity of ride-sharing, taxi, carpooling, and transportation apps like Uber, Lyft, Sidecar, Easy and Grab, and it poses significant risks to users. For instance, the number of installs for the Uber app on the Google Play Store alone ranges between 100 million and 500 million," explains Trend Micro.

While the latest version of FakeToken is distributed around Russia and countries in the Commonwealth of Independent States, Trend Micro says it won't take long before it hitchhikes its way across the world.