The UK government's National Cyber Security Center (NCSC) warns of a phishing campaign targeting Android phone owners

The attack begins with an SMS text message informing the user that a package has arrived from DHL and a link to track that package This link leads to a fake DHL website that invites the user to download and install a DHL package tracking app, which is actually an information-stealing malware called FluBot

"So far, the messages have been in the name of DHL, but the scam could change to exploit other corporate brands," the NCSC warned in a recent blog post

Below is a tweet from Vodafone UK showing what the scam SMS text looks like

And here is how the fake DHL page appears on your phone, courtesy of NCSC

By default, Android devices using Google Play cannot install apps from other sources However, users can override this setting, and the fake DHL site shows how

Apple iPhones, of course, cannot run this Android malware, but the NCSC notes that "fraudulent text messages could redirect [iPhone users] to fraudulent websites and steal personal information"

If you receive a text message informing you of an unexpected package, "do not click on any links in the message and do not install the app when prompted," says the NCSC The same, of course, applies to residents of other countries

Readers residing in the United Kingdom can forward suspicious messages to 7726, the national spam reporting number

If you have already installed this malicious app, the NCSC recommends doing a factory reset of your Android phone If you have a backup of your phone (Google will have saved much of your data), make sure you do not reinstall the backup created after installing the malicious FluBot app

Using the best Android antivirus apps is an effective way to prevent infection with this type of fraudulent malware