Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on July 13, 2016 14:00 UTC by GovCERT.ch (permalink) Last updated on July 15, 2016 10:16 UTC
MELANI / GovCERT.ch received several reports today about malicious SMS that have been sent to Swiss mobile numbers. The SMS is written in German and claims to come from the Swiss Post. But in fact, the SMS has been sent by hackers with the aim to infect Smartphones in Switzerland with a Trojan horse.
The SMS contains a link to a website. If the user clicks on the link in the SMS, he will get redirected to a hijacked website that hosts an App that installs malware on the victims Smartphone. As the served file is an Android application package (APK), only Android users are affected by this threat.
By default, Google does not allow Apps from 3rd parties (such as 3rd party App stores or from the internet) to be installed. However, the user has the possibility of allowing the installation of 3rd party Apps by changing the Android Security settings. In most cases, users do not change theses settings, so common Android users should be safe. Yet there were some articles in some Swiss newspapers this week that showed its readers how to enable the installation of Android Apps from 3rd party (aka “unknown sources”) in order to install the new Nintendo game Pokemon GO, as the App isn't in the Swiss version of the Google Play Store yet. Even before the launch of the game in Switzerland, the App went viral and obviously many Android users in Switzerland wanted to access the game before the launch of the App in the Swiss App store. As a result of this, some Android users may followed the instructions of the Swiss news papers and have enabled the installation of Apps from 3rd parties, making themselves vulnerable to this type of attack.
The App requests permission to erase all data on the victims phone (see screenshot above). In addition, it calls out to a botnet command&control server (C&C) in order to receive further commands from the attackers. According to FireEye, the App is part of a larger cybercrime operation with the aim of stealing login credentials of popular Apps such as Uber, Viber and Facebook (phishing / Smishing).
In the last SMS spam campaign we have observed in Switzerland a few weeks ago, we noticed that the malicious App has been downloaded more than 15'000 times.
In general, we highly recommend Android users to disable the installation of 3rd party Apps from unknown sources. To ensure that the installation of 3rd party Apps is disabled, go to settings -> Security on your Android device and make sure that the option Unknown Sources is disabled:
We recommend to never change this setting, even when you are instructed by to do so (as strangers may try to convince you to do so in order to place malware on your smartphone).
Android APK download URL:
hXXp://ieej.lv/swissp hXXp://riorancholeakletter.com/sp.apk
Android APK (malware):
Filename: sp.apk MD5 hash: c121a1ae8a4ee564fd6bd079ad5d3373
Android malware botnet C&C:
hXXp://85.93.5.146/?action=command
Back to top
