Skip to content

this SMS scam from Correos takes control of your mobile with a malware that is difficult to uninstall

25 mayo, 2021

In recent weeks, our circle of contacts has been receiving the following message by SMS, very similar to what is happening with others from DHL or FedEx

“POST: Your shipment is on its way: https://correos-track.top/XXXXXXX/”

As usual, it is not a communication sent by Correos, but by some person or group for malicious purposes. In front of other times, the message does not arrive sent by “Correos”, but with a private number that begins with “+34 6”. For example, it has come to us from numbers that began with “+34 628” or “+34 674”, for example.


The SMS leads to a link that we have changed so as not to spread it even further. On the destination website (which some mobiles detect as containing malware), The alleged Post Office urges us to track a pending shipment, let’s download an Android app. The problem, of course, is that we will not download the official Correos application, but rather a malicious apk file, called Correos.apk or Correos-3.apk. Here is Virustotal’s analysis.

The generic recommendation is the same as always: do not install applications from outside the Play Store

Knowing that many people do not have the option to install apk of “Unknown origins“From the web they explain all the steps to follow to install the file with which they want to infect us. If the security of our mobile phone is effective, when trying to install it, the system will inform us that it is not something safe.

The real problem starts when installing the apk file: then we will not be able to uninstall it easily

Permissions

All the dangerous permissions with which Correos.apk is made

Once we install this application, the reality is as expected by whoever identifies that it is malware: it is not a Post Office application. Instead, It is an application that will control our contact list and the SMS we receive, being able to open, read and even send them, without asking us for permission to do so, something unusual. The application, of course, has access to the Internet, and can also make calls.

In this way, in addition to using all our data to try to get money from an account or relevant information such as passwords, the attackers take over our entire list of contacts, to whom they can send the SMS to see if they bite the hook. This is how the scam spreads massively.

Google launches a test on phishing to find out if you are able to detect when they are deceiving you

The problem is that, once installed, the system does not allow to revoke the permissions that the malware grants itself, and it becomes the default message application, something that we have not been able to modify later in a Huawei terminal either.

To uninstall the malware, we had to resort to ADB commands from a computer. The quickest solution is to restore to factory settings, but it can also be the most inconvenient

When we try to uninstall it, Android tells us that it is not possible to do so, as it has been installed with the pre-installed system applications, which cannot be uninstalled as standard. Finally, helping a family member infected by the apk, we were able to easily uninstall it via ADB in Windows, using Command Prompt.

For it to work, in the Android developer settings we must have USB Debugging enabled. In addition, Windows and ADB must recognize our device (which will ask for permissions) when executing the command “adb devices” in Command Prompt. If it recognizes it, we will have to run these commands, in order:

  • First, we will type “adb shell” and press Enter.
  • After that, we will write “pm uninstall -k –user 0 com.tencent.mm” and press Enter.

If it works, the application will have disappeared from our terminal.