Hackers now sending physical malicious letters, Swiss authorities warn


Is there anything threat actors won’t do to gain initial access? Swiss authorities are warning about a new sophisticated cybersecurity threat – malicious counterfeit letters.

Cyber bandits have launched a malicious campaign across Switzerland using counterfeit letters that appear to be from MeteoSwiss (the Federal Office of Meteorology and Climatology).

The victims report that the letters contain a QR code asking recipients to download a new “Severe Weather Warning App.”

ADVERTISEMENT

The fraudulent letter pressures recipients by claiming that the app is mandatory and essential for family safety. It instructs users to scan the included QR code with a smartphone and follow the subsequent instructions to download and install the app.

“In light of the increasing frequency and intensity of severe weather events in Switzerland, we, the Federal Office of Meteorology and Climatology, want to ensure your safety and that of your family,” the fake letter claims.

malicious-letter

The Swiss National Cyber Security Centre (NCSC) warns that fraudsters are using this method to load malware onto mobile devices. The malicious app attempts to mimic the real Alertswiss app from the Federal Office for Civil Protection, which agencies use to inform, warn, and alert the population.

“There is no such federal app with the name mentioned. Rather, the QR code shown in the letter leads to the download of malware called ‘Coper’ (also known as ‘Octo2’),” the NCSC’s alert reads.

Octo2 malware is a credential-stealing Android banking trojan actively spreading in Italy, Poland, Moldova, Hungary, and other countries.

When the supposed ‘Severe Weather Warning App’ is installed, the malware attempts to access login data from over 383 smartphone apps, including e-banking apps, and exfiltrate it to an attacker-controlled server.

Niamh Ancell BW Paulina Okunyte justinasv Paulius Grinkevicius
Don’t miss our latest stories on Google News
ADVERTISEMENT

The app used in this campaign has traits such as the spelling ‘AlertSwiss’ instead of ‘Alertswiss’ in the name, the app icon also differs significantly from the genuine app. The logo is rectangular in a white circle, while the genuine app has a round logo.

However, malicious apps can take many forms. Previously, hackers disguised Octo2 malware as Google Chrome, NordVPN, and “Enterprise Europe Network” apps.

Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play, a Google spokesperson said

Swiss authorities recommend users ignore the letter and throw it away. Initial countermeasures have already been taken against the scammers.

“Do not let yourself be put under pressure. Only download apps from the official app stores (App Store, Google Play Store). If you have already installed the app, reset the smartphone to the factory settings,” the NCSC said.

Updated on November 18th [08:00 a.m. GMT] with a statement from Google.