{"id":23769,"date":"2025-02-03T17:43:27","date_gmt":"2025-02-03T13:43:27","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23769"},"modified":"2025-02-03T17:43:27","modified_gmt":"2025-02-03T13:43:27","slug":"tria-stealer-wedding-scam","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/tria-stealer-wedding-scam\/23769\/","title":{"rendered":"Beware of stealers disguised as\u2026 wedding invitations"},"content":{"rendered":"

Getting married is certainly one of the most important events in anyone\u2019s life. And in many cultures, it\u2019s customary to invite hundreds of guests to the celebration \u2014 including some you barely know. Cybervillains take advantage of such traditions, using wedding invitations as bait to launch attacks on Android smartphone users.<\/p>\n

Here\u2019s what threat actors have come up with this time, and how to defeat it.\n<\/p>\n

How weddings and APKs are linked<\/h2>\n

\nYou may already know about our global threat intelligence network \u2014 Kaspersky Security Network (KSN)<\/a>. In 2024, we spotted several suspicious and clearly malicious APK samples circulating in both Malaysia and Brunei. At the same time, social networks were buzzing with Android users of those same countries complaining about having their WhatsApp accounts hacked, or receiving suspicious APKs through WhatsApp or other messenger apps.<\/p>\n

Connecting the dots, we deduced that cybercriminals were sending Android users in Brunei and Malaysia wedding invitations in the form of an APK, which victims were urged to install on their own devices themselves. In the message, the attacker begins by apologizing for inviting the recipient to such an important event through WhatsApp rather than in person, then suggests that the user find the time and place of the celebration in the attached file \u2014 which turned out to be the same malicious APK that we found in KSN.<\/p>\n

\"Examples<\/a>

Examples of wedding invitations sent by attackers in the Indonesian language<\/p><\/div>\n

The scheme uses two versions of the same stealer (one appeared in March 2024, the other with added functionality in August), which we\u2019ve called Tria \u2014 after the name of the user who appears to be responsible for supporting or even conducting the entire campaign.\n<\/p>\n

What the Tria stealer does<\/h2>\n

\nThe malware primarily harvests data from text and email messages, but also reads call and message logs that it later sends to the C2 server through various Telegram bots. Naturally, the attackers don\u2019t do this out of their love of reading other people\u2019s correspondence. All stolen data is used to hack victims\u2019 Telegram, WhatsApp, and other accounts, and then message their contacts asking for money. However, an even more unpleasant scenario is possible: attackers could gain access to the victim\u2019s online banking accounts by requesting and intercepting OTP codes needed for login.<\/p>\n

To disguise itself, the stealer employs social engineering tactics: hiding behind a gear icon, it mimics a system application to get the permissions it needs from the user. The malware needs ten permissions in total, including access to network activity and sending\/reading text messages. For details on what other permissions Tria requests and how exactly the stealer works, see the full post on our Securelist blog<\/a>.<\/p>\n

It\u2019s known at present that the attacks were limited to users in Malaysia and Brunei, and not targeted at any specific individuals; however, the cybervillains may decide to expand their reach going forward. And when it comes to the bogus invitation that leads to installing the APK, the scope isn\u2019t limited to weddings \u2014 future attacks could exploit religious ceremonies, birthdays\u2026 you name it. So be vigilant, arm yourself with reliable protection<\/a>, and read our tips on how to combat this stealer and other malware for Android.\n<\/p>\n

How to guard against the Tria stealer<\/h2>\n

\nThe simple method of distribution makes it fairly easy to protect yourself against:\n<\/p>\n