This package delivery text will steal your passwords — what you need to do

Woman tapping smartphone while delivery person hands her a package.

(Image credit: Indypendenz/Shutterstock)

The British government's National Cyber Security Centre (NCSC) is warning about a phishing campaign targeting owners of Android phones that could steal "passwords and other sensitive information."

The attack starts with an SMS text message informing you that you've got a package coming from DHL, with a link to track the package. The link leads to a phony DHL website inviting you to download and install the DHL package-tracking app — but the app is actually information-stealing malware called FluBot.

How to stop apps from tracking you in iOS 14.5
The best Android antivirus apps for your non-iPhone phone
Plus: Google Assistant could say goodbye to 'Hey Google'

"While messages so far have claimed to be from DHL, the scam could change to abuse other company brands," warned the NCSC in a recent blog post.

Here's a tweet from Vodafone UK showing what the scam SMS text may look like.

⚠️SCAM TEXT ALERT ⚠️If you receive a text message that looks like the one below:IGNORE: Do not click any links.REPORT: Report it by forwarding to 7726.DELETE: Remove the text from your phone. pic.twitter.com/ailKcmXYh4April 22, 2021

And here's how the phony DHL page may appear on your phone, courtesy of the NCSC.

A screen shot of a website advertising a fake DHL package-tracking app. — (Image credit: National Cyber Security Centre)

By default, Android devices that use Google Play can't install apps from any other source. However, users can override this setting, and the phony DHL site shows you how.

Apple iPhones can't run this Android malware, of course, but the NCSC notes that "the scam text messages may still redirect them [iPhone users] to a scam website which may ... steal your personal information."

If you get a text message informing you of a package you're not expecting, "do not click the link in the message, and do not install any apps if prompted," says the NCSC. The same applies to residents of other countries, of course.

United Kingdom-based readers can forward suspicious messages to 7726, the national spam-reporting number.

If you've already installed this malicious app, the NCSC recommends performing a factory reset of your Android phone — which will delete all your data, of course. If you have a backup of your phone (Google will have saved much of your data), then make sure you don't reinstall a backup made after you installed the malicious FluBot app.

Using one of the best Android antivirus apps will go a long way to prevent you from being hit with this kind of scam malware.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.