Malware delivered via malicious QR codes sent in the post

Cybercriminals have adopted a novel trick for infecting devices with malware: sending out physical letters that contain malicious QR codes.

Switzerland's National Cyber Security Centre (NCSC) has issued a warning to the public about letters sent through the post that pretend to come from the Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) that encourage recipients to scan a QR code.

The letters claim that scanning the QR code will install a new severe weather app onto their Android smartphones.

However, according to the NCSC, the QR code's link actually takes Android users to a malicious app called Coper (also known as Octo2) which attempts to steal sensitive credentials from over 380 apps - including banking apps.

In addition, Coper allows hackers to gain remote access of infected devices, opening opportunities for attackers to steal more information and spy upon affected users.

The app promoted in the letters mimics a genuine "Alertswiss" weather app used in Switzerland - spelled "AlertSwiss" in the fake version. The Coper malware can be easily customised to use different names, so it is quite possible that other names could be used for the maliicous app, and - indeed - that it may not be presented as a weather-related app at all.

It is unusual, but not unheard of, for cybercriminals to distribute malware and dangerous links at scale via the postal system due to the increased cost compared to spreading an attack digitally.

However, this rarity can also work to a criminal's advantage. Many people will not be as suspicious of instructions which arrives via a physical letter compared to, for instance, via email or SMS text message.

Furthermore, many users have become accustomed to scanning QR codes in real-life situations such as restaurants and carparks, without verifying that they are being taken to a legitimate webpage.

The NCSC is asking letter recipients to report it to them online and - obviously - not visit the malicious link.

Users who have already been tricked into downloading and installing the app are advised to reset their affected smartphone to factory settings, and change any login credentials that may have been compromised.

Smartphone users would be wise to be on their guard, ensuring that their devices are up-to-date with security patches, are running anti-virus protection, and to only install apps from official app stores.