SMS Delivery Malware Attack

Message Details

Sender: "USPS" (spoofed) Time Received: February 10, 2024, 11:32 AM Content: "USPS: Your package has a delivery exception. Update address: [malicious-link]" Context: Was expecting multiple packages (made it credible)

Attack Analysis

Message Characteristics

1. Sender ID: Spoofed to show "USPS" (not just number)
2. Urgency: Delivery exception requires immediate action
3. Personalization: Generic enough for mass sending
4. Link: usps-tracking-update[.]com (looks legitimate)

Link Analysis

1. Website: Professional USPS replica
2. Request: Enter address and phone number
3. Malware: Android APK download disguised as "tracking update"
4. Permissions: Requested full device access

Technical Investigation

Malware Analysis

1. Type: Trojan disguised as USPS tracking app
2. Capabilities:
   • SMS interception
   • Keylogging
   • Contact list theft
   • Banking app credential theft
   • Remote access
3. Distribution: 5,000+ downloads before takedown

Infrastructure

• Domain: Registered 1 week before campaign
• Hosting: Compromised WordPress site
• C2: 194.233.164.12 (Germany)
• Targets: Primarily Android users in US

Protective Actions

Immediate Response

1. Device:
   • Did not click link
   • Screenshot message
   • Blocked sender
   • Ran malware scan
2. Reporting:
   • Forwarded to 7726 (SPAM reporting)
   • Reported to USPS Postal Inspection Service
   • Filed with FTC
   • Submitted Quiet-Report

Preventive Measures

1. Device Security:
   • Updated Android security patch
   • Verified app installation sources
   • Installed reputable security app
2. Behavior Changes:
   • Never click links in delivery texts
   • Verify through official apps
   • Use package tracking apps directly

Impact Assessment

Risk Factors

1. High: Expecting actual deliveries
2. Medium: Android device vulnerabilities
3. Low: Security awareness prevented infection

Potential Damage (if installed)

• Financial loss from banking apps
• Identity theft from personal data
• Additional malware spreading to contacts
• Device compromise requiring factory reset

Detection Statistics

Campaign Scope

• Messages Sent: Estimated 500,000+
• Click Rate: ~5% (based on download counts)
• Infection Rate: ~60% of clicks
• Geographic: Primarily US, major cities

Takedown Actions

1. Domain: Suspended by registrar
2. Hosting: Site taken down
3. C2: Investigated by authorities
4. Warning: USPS issued official alert

Recommendations

1. For Users:
   • Use official carrier apps for tracking
   • Never download APKs from links
   • Verify delivery issues through official channels
2. For Carriers:
   • Official SMS sender IDs
   • Public awareness campaigns
   • Better fraud reporting systems