Private-hire drivers caught hacking Grab, Gojek apps to bypass system and raise earnings

Modified versions of ride-hailing apps such as Grab and Gojek are being hawked online and through messaging apps.
Modified versions of ride-hailing apps such as Grab and Gojek are being hawked online and through messaging apps.PHOTO: BOON TAT TAN/FACEBOOK
The New Paper understands that some drivers have been caught and penalised with warnings and suspensions.
The New Paper understands that some drivers have been caught and penalised with warnings and suspensions.ST PHOTO ILLUSTRATION

SINGAPORE (THE NEW PAPER) - Some private-hire drivers here are using modified apps of ride-hailing firms such as Grab and Gojek to cheat the system.

Bootleg versions of these apps allow drivers to bypass verification, fake their location, cancel jobs without being penalised and, in some cases, view private customer information.

The New Paper understands that some drivers have been caught and penalised with warnings and suspensions.

Checks by TNP found a thriving online community dedicated to hacking and modifying these apps.

Some people are also offering their services on online forums and messaging apps to drivers who lack the technical expertise to do it themselves.

One such advertisement touted such services at a monthly rate of $350 for the Grab Driver app and $200 for the Gojek app.

Last week, Facebook user Boon Tat Tan alleged that some Grab drivers were using hacked apps to cancel and decline rides without consequence, or collude to force a pricing surge for higher fares.

He told TNP that drivers like himself needed to work for more than 12 hours to earn $200 a day before factoring in other costs, but users of the modified apps could earn more while working fewer hours.

When contacted, Grab and Gojek said they were aware of such abuse, which they described as fraud.

A Grab spokesman said it takes fraud seriously and has dedicated data scientists focusing on anti-fraud efforts.

"We want to ensure fairness for all our driver-partners and will not hesitate to suspend bad actors who exhibit fraudulent behaviour on our platform," the spokesman added.

A Gojek spokesman said it will take swift action such as suspending errant drivers and reporting them to the authorities.

Both firms did not reveal the number of drivers caught.

Cyber security firm Group-IB's head of research and development Alexander Lazarenko warned that modified apps can compromise customer safety.

He said such apps not only unfairly benefit drivers by letting them cherry-pick passengers and jump the queue, but they could also lead to customers' personal data being compromised, or malicious code being introduced to spy on them.

REVERSE-ENGINEERED APPS

Though Grab and Gojek constantly update the apps to prevent abuse, there are ways to hack them again.

"It is relatively easy to reverse engineer an app now," Mr Lazarenko said.

"Even if the source code is obfuscated, the app is not 100 per cent secure and resilient. Reverse engineering it is just a matter of time."

He said the ride-hailing firms need to adopt solutions such as device fingerprinting and anti-fraud functionality to allow them to identify mobile devices with malicious apps.

Such functions would likely block access to all variations of the app except the most updated version.

 
 
 

The proliferation of bootleg apps has led Grab to offer its driver-partners up to US$1,000 (S$1,350) for information on fraud cases under its Fair Play Rewards Programme.

Mr James Ow Yong of Kalco Law warned that those who use or modify such apps could be breaking the law.

Modifying the apps to cancel rides without being detected or to spoof locations is an offence under the Computer Misuse Act that carries a fine of up to $10,000, jail for up to three years, or both, he said.

If the operator's loss exceeds $10,000 within a year of the offence, the offender may face enhanced penalties of a fine of up to $50,000, jail for up to seven years, or both.

Those who illegally access protected data, such as phone numbers and payment details of customers, on the app can be fined up to $5,000, jailed for up to two years, or both.

If they accessed the information to commit an offence, they can be fined up to $50,000, jailed for up to 10 years, or both.

Mr Ow Yong said those who modified the app for others to break the law could be convicted of abetment and face similar penalties.

"While innocently appearing to 'game' the system, these actions can cause significant loss to service providers such as Grab and the public at large.

"It is in essence cheating and it is only a matter of time before the law catches up," he added.