This massive scam takes control of your Android mobile with a malware that is difficult to uninstall



In recent days, and today with special intensity to welcome the new year, my circle of contacts is receiving the following message by SMS:




"POST: Your shipment is on its way: https://correos-track.top/XXXXXXX/"




As usual, it is not a communication sent by Correos, but by some person or group for malicious purposes. Versus other times, the message does not arrive sent by "Correos", but with a private number that begins with "+34 6". For example, it has come to us from numbers that began with "+34 628" or "+34 674", for example.



The SMS leads to a link that we have changed so as not to spread it even further. On the destination website (which some mobiles detect as containing malware), the alleged Post Office urges us to track a pending shipment, let's download an Android app. The problem, of course, is that we will not download the official Correos application, but a malicious apk file, called Correos.apk or Correos-3.apk. Here is Virustotal's analysis.




The generic recommendation is the same as always: do not install applications from outside the Play Store.




Knowing that many people do not have the "Unknown sources" option activated, from the web they explain all the steps to follow to install the file with which they want to infect us. If the security of our mobile is effective, when trying to install it, the system will inform us that it is not something secure.




The real problem starts when installing the apk file - then we won't be able to uninstall it easily





Permissions

All the dangerous permissions with which Correos.apk is made



Once we install this application, the reality is as expected by whoever identifies that it is malware: it is not a Post Office application. Instead, It is an application that will take control of our contact list and the SMS we receive, being able to open, read and even send them, without asking us for permission to do so, something unusual. The application of course has access to the Internet, and can also make calls.



In this way, in addition to using all our data to try to get money from an account or relevant information such as passwords, the attackers take over our entire contact list, to whom they can send the SMS to see if they bite the hook. This is how the scam spreads massively.







Google launches a test on phishing to find out if you are able to detect when they are deceiving you





The problem is that, once installed, the system does not allow to revoke the permissions that the malware grants itself, and it becomes the default message application, something that we have not been able to modify later in a Huawei terminal either.




To uninstall the malware, we had to resort to ADB commands from a computer.




When we try to uninstall it, Android tells us that it is not possible to do so, as it has been installed with the pre-installed system applications, which cannot be uninstalled as standard. Finally, helping a family member infected by the apk, we were able to easily uninstall it via ADB in Windows, using Command Prompt.



For it to work, in the Android developer settings we must have USB Debugging enabled. Likewise, Windows and ADB must recognize our device (which will ask for permissions) when executing the command "adb devices" in Command Prompt. If it recognizes it, we will have to run these commands, in order:



  • First, we will type "adb shell" and press Enter.

  • After that, we will write "pm uninstall -k --user 0 com.tencent.mm" and press Enter.

If it works, the application will have disappeared from our terminal.