There are many possible attack vectors. For example, password could be bruteforced by botnet, Android phone could be infected using some Linux kernel vulnerability, SMS could be intercepted because of vulnerabilities in cellular networks. And of course there could be vulnerabilities on Uber's side.