Hackers are now sending scam QR codes via physical mail — and they can steal your passwords

We've warned you about QR code scams before. Now, we're warning you about a new QR code scam – one that may show up in your physical mailbox.

The National Cyber Security Centre (NCSC) in Switzerland has issued a new alert based on a new scheme from hackers and scammers that weaponizes the postal service. The scam involves a physical piece of mail arriving at a target's door, urging them to download an app. 

The app, which can be downloaded via a QR code displayed on the mailer, is actually malware disguised as a legitimate app that can steal data from the user's device.

A new type of QR code scam

The hackers and scammers behind this fraudulent scheme imitate Switzerland's Federal Office of Meteorology and Climatology, right down to the official governmental seals on the mailed document. The mailer urges recipients to scan the QR code in order to download a "Severe Weather Warning App" for Android devices. 

When the QR code is scanned, users aren't taken to the official Google Play store, but instead a third-party site. Once there, they are asked to download an "AlertSwiss" app.

As first reported on by The Register, there are some obvious discrepancies between the hacker's app and the real one that it copies. There is a genuine government app with the same name, but it's called "Alertswiss," without the capitalized "S." In addition, while the fake app attempts to mimic the app logo, it isn't exactly the same.

The fake app, when downloaded, installs a "variant of the Coper trojan" malware on the target's device. This malware can log the user's activity on the device, stealing passwords, messages, notifications, as well as other sensitive information. In addition, phishing pages can be automatically displayed on the infected device as well.

NCSC told The Register that this was the first time it had ever come across malware being delivered via physical mail in this way. 

Unlike email, there is a cost associated with sending each piece of physical mail, so this attack method must be delivering some level of success to the scammers behind it.

If bad actors aren't already looking at replicating this campaign outside of Switzerland yet, this warning should serve as an important notice to be on the look out for QR code scams being sent to your physical address in the not-so-distant future.