Fake Royal Mail Tracking App Malware Scam
Criminals distribute a fake Royal Mail tracking and redelivery app via SMS links, targeting UK consumers. The app steals Royal Mail and banking credentials, intercepts authentication SMS codes, and can lock victims out of their accounts.
Part of: Fake App Downloads
Last reviewed: 8 June 2026
Royal Mail's official app lets UK customers track parcels, redirect deliveries, and manage Click and Collect. Fraudsters create near-identical lookalike versions and send download links via smishing campaigns that claim a parcel is on hold and the app must be updated to reschedule delivery.
Once the fake app is installed, it presents a Royal Mail login page. Credentials entered are harvested and used to access the real Royal Mail account to monitor expected high-value deliveries. The app also intercepts banking SMS two-factor codes, enabling account takeover on financial services.
The real Royal Mail app is available through the Apple App Store and Google Play under the developer Royal Mail. Royal Mail does not distribute app updates or downloads through SMS links, and the real app never asks for more permissions than necessary for delivery management.
How this scam works on the Royal Mail brand
An SMS message arrives: Royal Mail — your parcel could not be delivered. Update your app to reschedule: [link]. The link opens a page mimicking the Royal Mail website with a Download or Update button. On Android, the download is an APK that requests SMS access, accessibility services, and device-administrator permissions.
After installation, a Royal Mail login screen harvests credentials. The app runs silently in the background, reading incoming SMS messages in real time. When the victim's bank sends a two-factor code by SMS, the app forwards it to the attacker, who is simultaneously attempting to log into the bank account using credentials captured earlier from a phishing page or breach database.
Some variants install a second component that monitors the screen for banking app activity and overlays a fake login page — capturing credentials directly rather than relying on SMS interception.
Common red flags
- SMS provides a link to download or update the Royal Mail app — the real app is only on official stores
- Download requires enabling unknown sources on Android
- Installed app requests SMS access, accessibility services, or device-administrator permissions
- App developer is not Royal Mail on the store listing
- You notice unexpected bank login attempts or two-factor code requests after installing
- Royal Mail login in the app looks slightly different from the real royalmail.com page
- The app cannot be uninstalled through normal means
How to protect yourself
- Download the Royal Mail app only from the Apple App Store or Google Play — search Royal Mail and verify the developer
- Never install an app from a link in an SMS claiming to be from Royal Mail
- Remove the app immediately if installed and revoke any administrator rights it holds
- Change your Royal Mail account password and enable two-step verification at royalmail.com
- Change passwords for any banking or email accounts you used while the app was installed
- Run a mobile security scan to confirm full removal
- Contact your bank if suspicious login attempts occurred
How to report it
- Report to Action Fraud at actionfraud.police.uk or 0300 123 2040
- Forward the smishing SMS to 7726
- Report to Royal Mail via royalmail.com/help/contact-us
- Report the fraudulent app to the App Store or Google Play
- Report to the NCSC at report.ncsc.gov.uk
Frequently asked questions
What does the real Royal Mail app do and where can I get it?
The official Royal Mail app allows parcel tracking, redelivery booking, and Click and Collect management. It is available free on the Apple App Store and Google Play under the developer Royal Mail. Search directly in the store rather than following any link.
Why does a fake Royal Mail app want SMS access?
SMS access allows the app to read two-factor authentication codes sent by banks and other services. The attacker uses these codes to bypass login security and take over your financial accounts without your knowledge.
I gave the fake app device-administrator rights. How do I remove them?
Go to Settings > Security > Device Admin Apps (the menu name varies by phone model) and revoke the app's administrator rights. You can then uninstall it normally from the Apps menu. Run a security scan afterwards to check for residual components.