A newly discovered SMS-based mobile phishing campaign is faking texts from the Czech Republic's postal service, hoping to trick Czech device owners into downloading a malicious app containing a trojan horse designed to steal credit card information and commit other malicious activities.

According to a Thursday blog post by Check Point Software Technologies, the smishing texts alert recipients of a shipment that's been rushed to a collecting depot, and contain a link leading to a phony Czech Post web page that immediately downloads the bad app. The scheme uses social engineering to trick users into approving the installation by labeling the app as a Flash Player update or Czech Post app.

After infection, victims who try to open any app will automatically receive a request for their credit card details and other personally identifying information, which is communicated back to the attackers' command-and-control server. The malware also can intercept SMS texts (allowing the bad actors to pass two-factor authentication), send SMS messages to contacts or specific numbers to spread the infection, and lock devices for a ransomware-style attack.