A new imposter app for Android pops up a screen that resembles a user’s Uber login screen in order to steal their username and password, before automatically spawning the real Uber app so the user won’t realize anything’s amiss.

The security firm Symantec, which discovered the fake Uber app, says it’s a variant of a type of malware it calls Android.Fakeapp. Earlier versions have impersonated other popular apps.

The creators of this version”got creative,” Symantec’s researchers write, with the use of a deep link, which lets one app link into inner screens in other apps. The fake user interface “pops up on the user’s device screen in regular intervals until the user gets tricked into entering their Uber ID (typically the registered phone number) and password.” After a user presses “Next” and the credentials are stolen, the user is sent to the ride request screen on their legitimate Uber app, where they would expect to be after logging in, the company says.

Last month, security firm Avast similarly reported malware that could impersonate common Android apps like the Google Play Store and Chrome, along with thousands of different banking apps, in order to steal credentials.

Symantec advises smartphone users to only install apps from trusted sources, monitor which permissions apps are requesting, and use mobile security tools to keep their phones safe. Uber for Android has been installed between 100 million and 500 million times from the Google Play Store, according to statistics from the site. Of course, some of those Android users were part of a breach involving roughly 57 million accounts that the company disclosed late last year.