The British government's National Cyber Security Centre (opens in new tab) (NCSC) is warning about a phishing campaign targeting owners of Android phones that could steal "passwords and other sensitive information."
The attack starts with an SMS text message informing you that you've got a package coming from DHL, with a link to track the package. The link leads to a phony DHL website inviting you to download and install the DHL package-tracking app — but the app is actually information-stealing malware called FluBot.
- How to stop apps from tracking you in iOS 14.5
- The best Android antivirus apps for your non-iPhone phone
- Plus: Google Assistant could say goodbye to 'Hey Google'
"While messages so far have claimed to be from DHL, the scam could change to abuse other company brands," warned the NCSC in a recent blog post (opens in new tab).
Here's a tweet from Vodafone UK showing what the scam SMS text may look like.
⚠️SCAM TEXT ALERT ⚠️If you receive a text message that looks like the one below:IGNORE: Do not click any links.REPORT: Report it by forwarding to 7726.DELETE: Remove the text from your phone. pic.twitter.com/ailKcmXYh4April 22, 2021
And here's how the phony DHL page may appear on your phone, courtesy of the NCSC.
By default, Android devices that use Google Play can't install apps from any other source. However, users can override this setting, and the phony DHL site shows you how.
Apple iPhones can't run this Android malware, of course, but the NCSC notes that "the scam text messages may still redirect them [iPhone users] to a scam website which may ... steal your personal information."
If you get a text message informing you of a package you're not expecting, "do not click the link in the message, and do not install any apps if prompted," says the NCSC. The same applies to residents of other countries, of course.
United Kingdom-based readers can forward suspicious messages to 7726, the national spam-reporting number.
If you've already installed this malicious app, the NCSC recommends performing a factory reset of your Android phone — which will delete all your data, of course. If you have a backup of your phone (Google will have saved much of your data), then make sure you don't reinstall a backup made after you installed the malicious FluBot app.
Using one of the best Android antivirus apps will go a long way to prevent you from being hit with this kind of scam malware.