It’s emerged that Android users in the UK have been sent messages and notifications containing links that appear as if they will divert them to tracking apps for delivery companies like DHL.
However, clicking on the links provided takes them to Flubot, a fraudulent app that can take over devices and spy on phones to gather sensitive data.
According to the Mirror, the app also has the ability to trawl contacts lists, sending on similar dud notifications to your friends and widening its net for more victims.
Vodafone has made details of the scam public to its users and on social media, a move that reflects the “seriousness of these malicious text messages” said Ben Wood, chief analyst at CCS Insight.
"We believe this current wave of Flubot malware SMS attacks will gain serious traction very quickly, and it's something that needs awareness to stop the spread," a Vodafone spokesperson told the Mirror.
How does the scam work?
One version of the scam reportedly pretends to be a text message from DHL, with a link to a website for parcel tracking.
But clicking on the link with an Android device will take the user to a page that explains how to install said app with an APK, a type of file that allows users to install apps not approved for listing on Google’s secure Play store.
In reality, the APK isn’t for DHL parcel tracking at all, but instead for Flubot.
APK files are blocked from being installed for security reasons by default, but enabling them is a simple trick, and the scam page even includes instructions on how to do so.
APK files aren’t bad in and of themselves, and there are many genuine reasons as to why you would want to install one. However, this is not one of them.
Are iPhone users affected?
Apple iPhone users are not affected as those phones cannot install Android APKs.
What can I do about the scam?
Customers should "be especially vigilant with this particular piece of malware".
Kate Bevan, computing editor at consumer magazine Which?, told the Mirror that users should “contact the delivery company's official customer service helpline” if they’re not sure about any text they’ve received.
"As ever, it's important to make sure that your mobile phone is up to date with security patches. Consider also installing mobile security software from a trusted brand."
Industry body Mobile UK said users who receive a suspicious message should forward it to 7726 to report it, a spokesman said - and then delete the message.
If you have installed the app, the best advice is to reset your phone to factory settings, according to Vodafone. Other network providers including EE and Three have followed with warnings of their own.
If your personal details have been compromised, alert your bank and phone provider immediately, and change any passwords.
A message from the editor:
Thank you for reading. NationalWorld is a new national news brand, produced by a team of journalists, editors, video producers and designers who live and work across the UK. Find out more about who’s who in the team, and our editorial values. We want to start a community among our readers, so please follow us on Facebook, Twitter and Instagram, and keep the conversation going.