The country's National Cyber Security Centre (NCSC) has uncovered a new malware campaign targeting Swiss residents through fake postal letters. The scam involves fraudulent correspondence disguised as official communication from MeteoSwiss, the Federal Office of Meteorology and Climatology. It urges recipients to scan a QR code and download a malicious weather app for Android devices.
See: https://redskyalliance.org/xindustry/malicious-qr-codes
The fake “Severe Weather Warning App” app mimics the legitimate Alertswiss app but is labeled “AlertSwiss” with a slightly altered logo. Unlike the authentic app, which is available on the Google Play Store, the fraudulent version is hosted on an unverified third-party website. Once installed, the app deploys a Coper Trojan variant to steal sensitive data, including banking credentials and intercepts two-factor authentication (2FA) codes.
Coper malware is hazardous as it can log keystrokes, communicate with command-and-control (C2) servers, and display phishing screens to gather additional information. It reportedly has access to over 383 smartphone applications, significantly expanding its threat.
See: https://redskyalliance.org/xindustry/trojans-targeting-financial-apps-with-a-billion-users
The Swiss NCSC described this as the first instance of malware being delivered through physical mail in Switzerland, with the letters appearing highly credible due to their use of official logos and urgent language. They warned individuals to look out for several warning signs, including:
• Misspelled or altered app names (e.g., “AlertSwiss” instead of “Alertswiss”)
• Apps hosted on third-party sites rather than official app stores
• Requests to scan QR codes in unsolicited mail
“As a relatively new attack vector, QR code scams do not have the kind of ingrained suspicion we’ve come to expect from other phishing techniques,” said Mike Britton, CIO at Abnormal Security. “Just as we’ve seen in the UK with a recent winter fuel payments scam, attackers are seeing success in imitating trusted sources promptly. Unlike on the web where you can use automated solutions to catch phishing attempts, these attacks will be solely down to the individual to catch out.”
Additionally, unlike email-based attacks, mailing physical letters incurs higher costs, suggesting the campaign may be aimed at high-value targets. Swiss residents are urged to destroy these letters and avoid scanning any QR codes they contain. The NCSC advises resetting devices to factory settings if the malware has already been installed.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments