Introduction

A sophisticated malware campaign has emerged in Switzerland, involving fraudulent postal letters that impersonate the Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) [1]. These letters aim to deceive recipients into downloading a malicious application under the guise of a severe weather alert.

Description

A malware campaign has been identified in Switzerland [4], where a group of fraudsters is sending counterfeit postal letters that impersonate the Swiss Federal Office of Meteorology and Climatology (MeteoSwiss). Dated 12 November [7], these letters contain a QR code that misleads recipients into downloading a malicious application deceptively named “Severe Weather Warning.” This app, which mimics the legitimate “AlertSwiss” app used by federal and cantonal agencies for public alerts [1], is hosted on an unverified third-party website [4], raising significant concerns compared to the authentic version available on the Google Play Store. Notably, the fraudulent app is misspelled as “AlertSwiss,” differing from the correct “Alertswiss,” and features a slightly altered rectangular logo in a white circle, contrasting with the genuine app’s round logo.

Upon installation [1] [4], the app deploys a sophisticated variant of the Coper Trojan, also known as “Octo2,” designed to steal sensitive information from Android devices, including login credentials for over 383 mobile applications [2] [7], particularly targeting banking credentials and two-factor authentication (2FA) codes [4]. Coper is classified as a banking Trojan with Device Takeover (DTO) capabilities, advanced obfuscation techniques to evade detection [1], and overlay attacks for credential theft [1]. The malware can log keystrokes, intercept 2FA messages, and communicate with command-and-control servers [4] [6], presenting phishing screens to extract sensitive information from users [6].

The Swiss National Cyber Security Centre (NCSC) has noted that this is the first instance of malware being delivered via physical mail in Switzerland [4]. The letters are crafted to appear credible [4], utilizing official logos and urgent language [4], exploiting the general public’s lack of suspicion towards such communications [1], particularly as QR codes have become more prevalent post-COVID-19 [1]. Reports indicate that more than a dozen individuals have contacted the NCSC regarding these fake letters [2], which are likely part of a spear-phishing campaign targeting specific individuals. The NCSC has outlined several warning signs to help individuals identify the scam [4], including misspelled or altered app names [4], apps hosted on third-party sites instead of official app stores [4], and unsolicited requests to scan QR codes [4].

The NCSC advises Swiss residents to securely destroy any suspicious letters and refrain from scanning QR codes contained within them [4]. If the malware has already been installed [4], it is recommended to perform a factory reset on devices, as many mobile users, particularly Android users [1], may be vulnerable due to outdated software and security patches [1] [2], making them easy targets for this type of attack [1]. The NCSC emphasizes the importance of not succumbing to pressure from unsolicited communications and recommends downloading mobile apps only from official app stores [5]. Citizens are also encouraged to report any suspicious letters to the NCSC [6]. Furthermore, Google has confirmed that no apps containing this malware are found on Google Play [3], and Android users are protected against known versions of the malware through Google Play Protect [3]. These incidents underscore the increasing sophistication of phishing schemes and the need for caution when scanning QR codes from unknown sources [2], as similar schemes have also been reported in other countries, where deceptive packages containing QR codes aim to load malware or redirect victims to phishing pages [3], compromising personal and financial information [3].

Conclusion

This incident highlights the evolving tactics of cybercriminals, who are now leveraging physical mail to distribute malware. The Swiss National Cyber Security Centre’s guidance is crucial in mitigating the impact of such threats. As phishing schemes grow more sophisticated, individuals must remain vigilant, particularly when interacting with QR codes and unsolicited communications. The situation underscores the importance of maintaining updated security measures and relying on official app stores to minimize exposure to malicious software.

References

[1] https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware
[2] https://www.wizcase.com/news/people-are-receiving-malware-through-their-mail-via-infected-qr-codes/
[3] https://uk.pcmag.com/security/155357/watch-out-for-malicious-qr-codes-sent-through-the-mail
[4] https://www.infosecurity-magazine.com/news/swiss-cyberagency-qr-code-mail-scam/
[5] https://www.techspot.com/news/105615-malicious-android-app-masquerades-swiss-weather-service-delivered.html
[6] https://www.techradar.com/pro/security/hackers-are-spreading-qr-code-malware-through-the-post
[7] https://www.techepages.com/malware-being-delivered-by-mail-warns-swiss-cyber-agency/