13.05.2025 - Fake e-mails claiming to be from SwissPass or SBB are a common occurrence. We frequently receive reports of such e-mails, which are usually phishing attempts. However, a particularly convincing version is currently being used to spread malware targeting Android devices.
Since last week, we’ve had reports of e-mails that appear to come from SBB. The e-mails, which are written in French, claim that a suspicious ticket purchase of CHF 224 has been made from an unknown device. Recipients are asked to click the “That wasn’t me” (“Ce n’était pas moi”) button if they didn’t make the purchase.
Clicking on the button opens a page showing what appears to be a ticket purchase from Paris to Strasbourg. A fake QR code is also displayed to make the page look more official, along with what seems to be a reservation number. Multiple exclamation points and warnings are used to create a sense of urgency. This is typical of scam e-mails – the aim is to get the victim to act quickly without noticing anything suspicious.
On the next page, you're asked to enter personal details to change or cancel the purchase – including your name, address, payment method and bank details. This alone should raise suspicion: there's no valid reason to ask for bank information in a case like this.
At first, the scam appears to be a typical phishing attempt, in which the next step would usually be to ask for passwords or credit card details.
However, in this case, the scam takes a different turn: clicking the button downloads an APK file. Android users will recognise this file type – it's the standard format for installing Android apps. This APK file is actually malware designed to steal sensitive data. Simply downloading the file does not infect the device, as it must first be installed, which requires the victim’s active involvement. That's why, in the final step, the scammers provide detailed instructions on how to install the APK file and, crucially, how to bypass the phone's security protections. Normally, smartphones only install apps from the official app store. As this file does not come from an approved source, the user is instructed to change their settings to allow the installation of unknown apps. If they follow these instructions, the malware is installed on the device.
At the end of the process, you're asked whether the installation worked or if you had problems and need help. We weren’t able to verify what happens when you click the ‘Need help’ button – but it’s possible the scammers call you to offer supposed support. They already have your phone number from the personal details you entered earlier.
With your bank details and phone number in hand, scammers can run all kinds of scams – from stealing login credentials to tampering with transactions or misusing your personal data.
Recommendations
- Never install a program from a website that you have opened via a link in an e-mail or text message.
- Only install necessary programs and apps and always download them from the official website or an official app store.
- Only use alternative app stores if you're aware of the potential security risks and fully trust the source.
- If you have installed an app like this, get a professional to check your device – and avoid doing any online banking or shopping or entering passwords in the meantime.
- Resetting the infected device to its factory settings is the only reliable way to remove this kind of malware.
Current statistics
Last week's reports by category:
Last modification 12.05.2025
