Fake USPS Informed Delivery App Malware Scam
Scammers create convincing lookalike apps branded as the official USPS Informed Delivery app, distributed through unofficial download links or third-party stores. Once installed, the malicious app harvests credentials, banking data, and SMS two-factor codes.
Part of: Fake App Downloads
Last reviewed: 8 June 2026
USPS Informed Delivery is a popular legitimate service that lets you preview incoming mail and packages. Its popularity makes it a credible lure: a phishing email or SMS tells a recipient that they need to install a new version of the USPS Informed Delivery app to continue tracking, and provides a link to an unofficial download.
The fake app mimics the real one closely enough to pass a casual inspection — correct logo, similar interface, realistic tracking-number entry screen. Behind the scenes it is spyware: it reads SMS messages to intercept two-factor authentication codes, logs keystrokes to capture banking passwords, and can take periodic screenshots.
The real USPS app is available only through the Apple App Store and the Google Play Store. USPS does not send download links by SMS, email, or social media message, and will never ask you to enable unknown sources or bypass your device's app-installation security settings.
How this scam works on the USPS brand
A text or email arrives: USPS — Your Informed Delivery access has been upgraded. Download the new app to continue receiving mail previews — followed by a link. The link opens a site mimicking usps.com and presents an APK download or a redirect through a third-party store.
On Android, the user is prompted to allow installation from unknown sources — a major red flag. On iOS, the phishing site may redirect to a fraudulent app-store listing or install a configuration profile that compromises device security.
Once installed, the app requests permissions far beyond what a tracking app needs: access to SMS, contacts, call logs, and storage. These permissions allow it to relay two-factor codes to the attacker in real time, enabling same-session account takeovers on banking and email accounts.
Common red flags
- A link to download a USPS app arrives by SMS or email — the real app is only on official app stores
- The download site asks you to enable install from unknown sources on Android
- The app requests access to SMS, call logs, or microphone during initial setup
- The app version number or developer name does not match the official USPS listing on the App Store or Play Store
- Message claims your tracking or Informed Delivery access will expire if you do not update
- The download page URL is not usps.com
- The app interface asks for your full SSN or bank details to verify your account
How to protect yourself
- Download USPS apps only from the Apple App Store or Google Play Store — search directly, never follow links
- Verify the app developer is listed as United States Postal Service before installing
- Never enable install from unknown sources for a link received via SMS or email
- Review app permissions before accepting — a tracking app should not need SMS access
- If you installed a suspicious app, remove it immediately and run a mobile security scan
- Change passwords for any accounts you accessed while the app was installed
- Contact your bank if financial information was entered
How to report it
- Report the suspicious link or app to the USPS Postal Inspection Service at postalinspectors.uspis.gov
- Report the fraudulent app to the App Store or Google Play through their in-app reporting tools
- Forward the smishing message to 7726
- File a report with the FTC at reportfraud.ftc.gov
- Report to the FBI Internet Crime Complaint Center at ic3.gov if financial loss occurred
Frequently asked questions
How do I find the real USPS Informed Delivery app?
Search for USPS Mobile or Informed Delivery in the Apple App Store or Google Play Store. Verify the developer is United States Postal Service and check the number of reviews and update history before installing.
My phone asked me to enable unknown sources. Is that normal for a USPS update?
No. USPS distributes its official apps only through official app stores, which do not require enabling unknown sources. A request to enable that setting is a strong indicator that the download is malicious.
Why would a tracking app want SMS access?
A legitimate tracking app has no need for SMS access. Malicious apps request it specifically to intercept two-factor authentication codes sent by your bank or email provider, allowing the attacker to bypass security checks and take over your accounts.