From stolen accounts to Russian-hacker run networks, Uber’s blackmarket trade has steadily become a staple in the digital underground. Now, researchers from cybersecurity firm Symantec have found a piece of malware that tries to steal a target’s Uber password, before covering up its own tracks.

According to that research, the Android malware causes a fake Uber user interface to repeatedly pop-up on a target’s device, taking up the whole screen, until the user enters their Uber ID and password. As with many other phishing campaigns, as soon as the victim provides their credentials, the malware sends those details off to the hacker’s remote server, Symantec said.

In an email, Uber spokesperson Melanie Ensign told The Daily Beast “we recommend only downloading apps from trusted sources. However, we want to protect our users even if they make an honest mistake and that’s why we put a collection of security controls and systems in place to help detect and block unauthorized logins even if you accidentally give away your password.”

Hackers could do a few different things with a stolen set of Uber accounts. They could sell them on the dark web, where customers buy login details and then simply take rides and their victim’s expense. In 2015, scammers were selling thousands of stolen accounts for $1 each, before the marketed became saturated and the price plummeted to just 40 cents per account. Many of these accounts were likely hacked because victims had used the same password on Uber as well as a website that was already breached, meaning scammers could just log into the user’s account.

Stolen accounts may also come in handy when running other Uber-related scams, such as when hackers trick Uber by posing as both driver and customer with spoofing-technology, or when running their own, illegitimate network of Uber drivers.

Vikram Thakur, technical director at Symantec, also told The Daily Beast the accounts could be used to compile a fuller picture when stealing identities.

The malware, however, is distributed not through the ordinary Google Play Store, but third-party application stores, Thakur said.

“Users are likely in Russian-speaking countries in limited number. We don’t anticipate such an app to be in wide scale distribution,” Thakur added.

Regardless, in an attempt to operate surreptitiously, after stealing the data, the malware Symantec found then displays a screen from the real Uber app installed on the victim’s phone, showing their current location. This is done by calling a so-called deep link URI, which takes users to particular content within an app, and starts the Ride Request process, the report adds.