Parcel delivery text messaging scam hits NZ with 'significant' financial loss possible

CERT NZ, the Government's cybersecurity agency, is warning Kiwis of a text messaging scam infecting Android mobile phones that has the potential to result in significant financial loss.

Targets in New Zealand receive a text message about a parcel delivery either pending or that has been missed, with a link to a delivery website included.

If the link is clicked a prompt is then given to install the application for the delivery service. Instead, it installs a malicious app.

"The application attempts to steal your banking and credit card information as well your contact list, which it uploads to a server to continue spreading itself," CERT NZ said.

"Once a device has been infected with this malicious app it can result in significant financial loss."

The app works by automatically sending text messages from infected devices to contacts it has received from other infected devices. It then blocks the number so the recipient can't respond.

"Parcel delivery messages spreading the malicious app will come from New Zealand or other mobile numbers and contain a link to a parcel delivery website asking to install an application," the cybersecurity agency said.

"If you are expecting a delivery, it's best to track the delivery via the courier's website directly."

Because of the potential significant impact of the malicious app, immediate action needs to be taken.

CERT NZ is advising all those affected to factory reset their device as soon as possible, deleting all personal data.

"Do not restore from backups created after installing the app. Seek the services of a qualified IT professional if you require assistance."

People impacted also need to change the passwords to all online accounts, with online bank accounts a priority.

"If you have concerns that your accounts may have been accessed by unauthorised people, contact your bank immediately," CERT NZ said.