New Android Malware Exploiting Wedding Invitations to Steal Victims WhatsApp Messages

A sophisticated Android malware campaign, dubbed Tria Stealer, has been targeting users in Malaysia and Brunei since mid-2024. 

The malware uses fake wedding invitations as a lure to trick victims into installing a malicious Android Package Kit (APK). 

Once installed, the malware steals sensitive data, including WhatsApp messages, SMS, and emails, and exploits this information for account hijacking and financial fraud.

Overview of the Tria Stealer Campaign

Kaspersky reports that the attackers distribute the malicious APK through personal and group chats on platforms like WhatsApp and Telegram. 

Victims receive messages claiming to be wedding invitations, often accompanied by an attachment labeled as a digital invitation card. However, the attachment is a disguised APK file. Once downloaded and installed, the malware gains access to the victim’s device.

Upon first execution, the app uses the IntroActivity function to check if it is being launched for the first time. It requests permissions such as android.permission.RECEIVE_SMS to intercept SMS messages. 

To appear legitimate, it mimics a system settings app with a gear icon. Victims are then prompted to enter their phone number, which is sent to a command-and-control (C2) server via Telegram’s API.

The campaign has evolved since its inception in March 2024. A second version of the malware was detected in August 2024 with enhanced features, including improved wording in its Telegram communications and additional capabilities for stealing app notifications.

Researchers believe the campaign is operated by an Indonesian-speaking threat actor based on embedded Indonesian-language strings in the malware code (e.g., “APLIKASI DI BUKA LAGI,” meaning “APPLICATION REOPENED”). 

While similar campaigns like UdangaSteal have targeted users in Southeast Asia before, Tria Stealer employs distinct tactics and code patterns.

Technical Capabilities of Tria Stealer

The malware is highly invasive and sophisticated. Key features include:

Data Collection:

• SMS messages, including one-time passwords (OTPs) and transaction authorization codes (TACs).
• Call logs and details from messaging apps like WhatsApp and Gmail.
• Notifications from apps such as Google Messages, Samsung Messages, Outlook, and Yahoo Mail.
• Collected data is sent to Telegram bots controlled by the attackers. Separate bots are used for different types of data (e.g., SMS vs. app messages).

Account Hijacking:

• By intercepting OTPs and security codes, attackers gain unauthorized access to victims’ WhatsApp and Telegram accounts.
• Compromised accounts are used to spread the malware further or impersonate victims to request money transfers from their contacts.

Impact on Victims

Victims face significant risks:

• Unauthorized financial transactions via intercepted OTPs.
• Loss of access to personal messaging accounts.
• Potential compromise of other online services tied to stolen credentials.

The Tria Stealer campaign highlights how cybercriminals exploit social engineering tactics like fake wedding invitations to infiltrate devices. 

With its ability to hijack WhatsApp accounts and steal sensitive data, this malware poses a severe threat to users in Malaysia and Brunei. As digital scams become more sophisticated, vigilance remains critical in preventing such attacks.