Cyber crooks push Android malware via letter
Cyber crooks are trying out an interesting new approach for getting information-stealing malware installed on Android users’ smartphones: a physical letter impersonating MeteoSwiss (i.e., Switzerland’s Federal Office of Meteorology and Climatology).
“The letter asks the recipients to install a new severe weather app. However, there is no such federal app with the name mentioned. Rather, the QR code shown in the letter leads to the download of malware called ‘Coper’ (also known as ‘Octo2’),” the Swiss National Cyber Security Centre has warned on Friday.
The letter (Source: Switzerland’s National Cyber Security Centre)
The malware
Once installed, the Android-specific malware tries to steal access data from over 380 smartphone apps, including mobile banking apps, the NCSC says.
It does that by performing overlay attacks and by intercepting and controlling calls, SMS, and push notifications.
The malware is sold under the as-a-service model and cyber crooks previously tried distributing it online by impersonating legitimate applications, Team Cymru researchers noted.
What should victims do?
“As soon as the malware has been downloaded, it is displayed as the ‘AlertSwiss’ app on phones with the Android operating system,” the NCSC explains.
“The spelling (‘AlertSwiss’ instead of ‘Alertswiss’) and, depending on the Android version, the app icon also differ significantly from the genuine app (rectangular logo in a white circle for the fake app, round logo for the genuine app).”
Users who have scanned the QR code in the letter and downloaded and installed the fake app have been advised to reset their smartphone to factory settings to remove it.
Help Net Security has reached out to the NCSC to ask for more details about the extent and success of this unusual malware delivery campaign, and we’ll update this article if we hear back from them.