Fake letters spread Android malware with QR codes
Published:
A new cyber threat has emerged in Switzerland, where fraudsters are distributing malware through physical letters, a rare tactic in the digital age.
Swiss residents have been warned to be on high alert after receiving letters impersonating the Federal Office of Meteorology and Climatology, MeteoSwiss, urging them to download a fraudulent weather app.
The Scam: A Fake Weather App
The letters, disguised as an official communication, include a QR code claiming to lead to a “Severe Weather Warning App.” However, scanning the code directs users to a fake application named “AlertSwiss” instead of the legitimate “Alertswiss” app.
The slight difference in spelling and app design is a critical clue. Unlike the genuine app, which can be found on trusted platforms like the Google Play Store, the fake app is hosted on a third-party website.
Once installed, the app deploys a version of the Coper trojan, a sophisticated malware capable of logging keystrokes, intercepting two-factor authentication (2FA) codes, and stealing credentials from over 380 apps, including mobile banking platforms.
It also has the ability to intercept calls, SMS, and push notifications, significantly increasing its reach and potential damage.
This malware operates as a service, meaning it is sold to cybercriminals who can customize it for their own schemes. In this campaign, the trojan also connects to command-and-control servers, enabling attackers to remotely control infected devices and launch phishing attacks.
Fig 1. The fake letter (Source: Switzerland’s National Cyber Security Centre)
Key Red Flags for Users
The Swiss National Cyber Security Centre (NCSC) has highlighted key differences between the fake and genuine apps:
- App Name: The fake app uses “AlertSwiss” instead of “Alertswiss.”
- App Icon: The fake app’s icon design differs slightly depending on the Android version.
- Distribution: The fake app is available only via a third-party website, not the official Google Play Store.
Google has assured users that Android devices are protected against known versions of this malware through Google Play Protect, which blocks harmful apps, even from unofficial sources.
What to Do if You’re Affected
If you have scanned the QR code and installed the fake app, the NCSC advises resetting your smartphone to factory settings immediately. This is the only way to ensure the malware is completely removed.
Users are also encouraged to verify apps and their sources before downloading them to avoid falling victim to similar schemes.
This incident underscores the growing sophistication of cybercriminal tactics. While QR code scams are not new, the use of physical letters adds an unexpected layer of deception.
Always double-check app names, icons, and distribution sources to protect yourself from malicious attacks.