Switzerland’s National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the country’s postal service.

Citizens have been getting cunningly crafted letters faked to look like they have been sent from the nation’s Federal Office of Meteorology and Climatology. They tell recipients to scan a QR code and download a “Severe Weather Warning App” for Android, which mimics the genuine Alertswiss weather app, but is spelled “AlertSwiss” in the bogus version and has a slightly different logo than the government build.

The app, hosted on a third-party site and not the official Google Play Store, contains a variant of the Coper trojan, first discovered in July 2021. Coper specializes in keylogging, intercepting two-factor authentication SMSes and push notifications, and going after banking apps installed on a device – stealing stored credentials and other data – thus allowing it to gather up all the info needed for its operators to log into people’s bank accounts and plunder them. It can also display phishing screens, it responds to instructions from command-and-control servers, and it asks for a load of permissions to get away with its skulduggery.

“It is the first time the NCSC sees malware delivery through this method,” the agency told The Register. “The letters look official with the correct logo of the Federal Office for Meteorology and thus trustworthy. In addition, the fraudsters build up pressure in the letter to tempt people into rash actions.”

The agency told us that there’s no telling how many people got the letters because Switzerland does not have a universal reporting requirement for incidents like this. The NCSC told us it had, however, heard from over a dozen people. This low number makes sense when you think about it.

Sending this type of letter in Switzerland typically costs about $1.35 per piece, suggesting the scammers likely used it in a highly targeted manner for spear-phishing specific individuals. While email has allowed malware operators to reach millions at almost zero cost, doing it by mail changes the financial equation.

Of course, abusing QR codes is nothing new – we’ve been reporting on that since the early 2010s. Microsoft just the other week reported more than 15,000 messages with malicious QR codes targeting the education sector had been sent every day over the past year.

But posting them is a first for us. While it seems highly inefficient, if a high-value target falls for it, the proceeds may be worth it. After all, there’s a lot of wealth in Switzerland. ®