Cyber crooks push Android malware via letter

Cyber crooks are trying out an interesting new approach for getting information-stealing malware installed on Android users’ smartphones: a physical letter impersonating MeteoSwiss (i.e., Switzerland’s Federal Office of Meteorology and Climatology).

“The letter asks the recipients to install a new severe weather app. However, there is no such federal app with the name mentioned. Rather, the QR code shown in the letter leads to the download of malware called ‘Coper’ (also known as ‘Octo2’),” the Swiss National Cyber Security Centre has warned on Friday.

Android malware letter

The letter (Source: Switzerland’s National Cyber Security Centre)

The malware

Once installed, the Android-specific malware tries to steal access data from over 380 smartphone apps, including mobile banking apps, the NCSC says.

It does that by performing overlay attacks and by intercepting and controlling calls, SMS, and push notifications.

The malware is sold under the as-a-service model and cyber crooks previously tried distributing it online by impersonating legitimate applications, Team Cymru researchers noted.

What should victims do?

“As soon as the malware has been downloaded, it is displayed as the ‘AlertSwiss’ app on phones with the Android operating system,” the NCSC explains.

“The spelling (‘AlertSwiss’ instead of ‘Alertswiss’) and, depending on the Android version, the app icon also differ significantly from the genuine app (rectangular logo in a white circle for the fake app, round logo for the genuine app).”

Users who have scanned the QR code in the letter and downloaded and installed the fake app have been advised to reset their smartphone to factory settings to remove it.

Help Net Security has reached out to the NCSC to ask for more details about the extent and success of this unusual malware delivery campaign, and we’ll update this article if we hear back from them.

UPDATE (November 16, 2024, 02:55 a.m. ET):

“For tactical reasons, we cannot provide any information about the measures taken,” a NCSC spokesperson told us.

“We are also unable to provide any information about the distribution of the letter, as there is no general reporting requirement in Switzerland. Reporting to the NCSC is voluntary, therefore the number of unreported cases may be correspondingly higher. The [Federal Office for Cyber ​​Security] (BACS) has so far received around a dozen reports about this letter.”

A Google spokesperson told Help Net Security that based on their current detection, no apps containing this malware are found on Google Play.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

OPIS OPIS

OPIS

Don't miss