Grab, Gojek cracking down on such apps, which also put customer data at risk

Some private-hire drivers here are using modified apps of ride-hailing firms such as Grab and Gojek to cheat the system.

Bootleg versions of these apps allow drivers to bypass verification, fake their location, cancel jobs without being penalised and, in some cases, view private customer information.

The New Paper understands that some drivers have been caught and penalised with warnings and suspensions.

Checks by TNP found a thriving online community dedicated to hacking and modifying these apps.

Some people are also offering their services on online forums and messaging apps to drivers who lack the technical expertise to do it themselves.

One such advertisement touted such services at a monthly rate of $350 for the Grab Driver app and $200 for the Gojek app.

PHOTO: Facebook/Boon Tat Tan

Last week, Facebook user Boon Tat Tan alleged that some Grab drivers were using hacked apps to cancel and decline rides without consequence, or collude to force a pricing surge for higher fares.

He told TNP that drivers like himself needed to work for more than 12 hours to earn $200 a day before factoring in other costs, but users of the modified apps could earn more while working fewer hours.

When contacted, Grab and Gojek said they were aware of such abuse, which they described as fraud.

A Grab spokesman said it takes fraud seriously and has dedicated data scientists focusing on anti-fraud efforts.

"We want to ensure fairness for all our driver-partners and will not hesitate to suspend bad actors who exhibit fraudulent behaviour on our platform," the spokesman added.

A Gojek spokesman said it will take swift action such as suspending errant drivers and reporting them to the authorities.

Both firms did not reveal the number of drivers caught.

Cybersecurity firm Group-IB's head of research and development Alexander Lazarenko warned that modified apps can compromise customer safety.

He said such apps not only unfairly benefit drivers by letting them cherry-pick passengers and jump the queue, but they could also lead to customers' personal data being compromised, or malicious code being introduced to spy on them.

REVERSE ENGINEERED APPS

Though Grab and Gojek constantly update the apps to prevent abuse, there are ways to hack them again.

"It is relatively easy to reverse engineer an app now," Mr Lazarenko said.

"Even if the source code is obfuscated, the app is not 100 per cent secure and resilient. Reverse engineering it is just a matter of time."

He said the ride-hailing firms need to adopt solutions such as device fingerprinting and anti-fraud functionality to allow them to identify mobile devices with malicious apps.

Such functions would likely block access to all variations of the app except the most updated version.