People Are Receiving Malware Through Their Mail Via Infected QR Codes

Swiss authorities are warning the public about a series of counterfeit letters, purportedly from MeteoSwiss, that contain a dangerous scam.

The letters, which include a QR code, instruct recipients to download a new ‘Severe Weather Warning App.’ However, scanning the QR code leads to the installation of malware.

The National Cyber Security Centre (NCSC), MeteoSwiss, and the Federal Office for Civil Protection (FOCP) have received multiple reports of these fake letters being sent out by fraudsters.

“It is the first time the NCSC sees malware delivery through this method,” the agency told The Register.

“The letters look official with the correct logo of the Federal Office for Meteorology and thus trustworthy. In addition, the fraudsters build up pressure in the letter to tempt people into rash actions,” the agency added.

The QR code directs users to download malware known as ‘Coper’ (or ‘Octo2’), which is designed to steal sensitive data, including login credentials for over 383 smartphone apps, such as e-banking applications.

The malware specifically targets smartphones running the Android operating system. Once installed, it masquerades as the legitimate ‘AlertSwiss’ app—a government-backed tool used for public safety alerts.

However, the fake app displays a slightly altered version of the logo and an incorrect spelling (‘AlertSwiss’ instead of ‘Alertswiss’) to differentiate it from the real app.

The agency explained to the Register that it’s unclear how many people received the letters, as Switzerland lacks a universal reporting requirement for incidents like this. However, the NCSC confirmed it had been contacted by more than a dozen individuals.

Sending physical letters in Switzerland typically costs around $1.35 per piece, indicating the scammers likely targeted specific individuals for spear-phishing, noted The Register.

Malwarebytes highlights several advantages for criminals using QR codes in physical mail. People often don’t expect a letter—something seemingly non-technical—to infect their devices.

Since QR codes are typically scanned by mobile devices, which are often overlooked in terms of security software, these attacks can go undetected, noted Malwarebytes.

QR codes have become more common, especially following the COVID-19 pandemic, which pushed many restaurants to switch to digital menus for safety. As a result of this widespread adoption, seeing a QR code in a letter from an official source no longer raises immediate suspicion, as argued by Malwarebytes.

Many Android users also face security vulnerabilities due to “patch gaps” or outdated versions no longer receiving updates. This gap arises from delays in distributing fixes from software vendors to device manufacturers, who must then make updates available to users, noted Malwarebytes.

Swiss authorities advise anyone who receives one of these fraudulent letters to report it to the NCSC using their online form and then dispose of the letter. If the fake app has already been downloaded, users are urged to reset their phone to factory settings to remove the malware.

These incidents highlight the growing sophistication of phishing schemes and the importance of caution when scanning QR codes from unknown sources. Authorities are actively working on countermeasures to prevent further attacks.