The scam usually starts with a smishing (SMS phishing) text message or an email. It pretends to be from a well-known delivery company, telling you that there is a problem with your package or that you need to track a shipment.
If you click the link on a computer, the website will show a QR code. It tells you to scan it with your phone to install their "tracking app." This is a trick to move the attack from your secure computer to your mobile phone.
Bypassing Security
Android phones naturally block apps that don't come from the official Google Play Store. To get around this, the scammers use two main tricks:
Lying to you: They claim the app is a "required security module" or a "customs verification tool" to convince you to ignore your phone's security warnings.
The Identity Fake: Once you open the app, it looks like a real login screen. It asks for a "delivery number" and sends a fake 6-digit verification code to your notifications to make the whole process feel professional and legitimate.
What the Malware Does
- Read your text messages and see your contacts.
- Record your audio and use your camera.
- Track your exact location.
- Steal your passwords by recording what you type (keylogging).
- Download or delete your files.
Security experts at ENKI believe this is the work of a group called Kimsuky. They have been found using similar tricks before, such as making fake login pages for popular Korean sites like Naver and Kakao to steal usernames and passwords.
They also found the group is "repackaging" real apps. For example, they took a real VPN app from the Play Store, stuffed it with malicious code, and sent it out to victims.
How to Stay Safe
Never scan QR codes from unsolicited texts or emails.
Only install apps from the official Google Play Store.
Ignore requests to install "security modules" or "customs apps" via a web browser.
Check the URL: Real delivery companies will not host their apps on random strings of numbers (IP addresses).