- Kaspersky has uncovered a malware campaign that uses fake wedding invitations to lure users into downloading malware.
- Once installed the infostealer grabs every bit of data it can from a device, potentially leading to other compromises.
- The threat plays on a target’s emotions to get them to download a file they may otherwise have never downloaded.
The Global Research and Analysis Team (GReAT) at Kaspersky has discovered a new malicious campaign that sounds a lot like wedding bells but is more like a death knell for your security.
The campaign makes use of compromised WhatsApp and Telegram accounts in order to send targets malicious software. In the case of this campaign, the malware is an infostealer called Tria Stealer. The malware sits on an Android phone and sends text messages, emails and other data on the device. This includes intercepting text messages, giving attackers a way to breach accounts that use SMS for multi-factor authentication.
“After it is installed, the malware requests permissions which allow it to access sensitive data and functions, such as reading and receiving text messages, monitoring phone status, call logs, and network activity, as well as performing actions like displaying system-level alerts, running in the background, and starting automatically after device reboot,” Kaspersky reports.
“Collectively, these permissions grant significant control over device operations and the attackers can intercept victim notifications to steal messages and emails. The application mimics a system settings app with a gear icon to trick the victim into thinking that the requests and the app itself are legitimate,” it adds.
The technique being used to get folks to download the malware is rather strange. According to Kaspersky, targets are sent wedding invitations in the form of an APK file. As you may be aware, these are applications for the Android platform and while by default users can’t install APKs for their own safety, a bit of convincing can get users to disable this protection. We have to admit, a wedding invitation is a novel approach to lure users into downloading a malicious file.
and through a compromised Telegram account (on the right). Image – Kaspersky.
Cybercriminals often prey on a target’s emotions in hopes that their judgement will be clouded and they will fall for the bait. A wedding invitation is sure to get folks to download a file, even an app because there is seemingly an app for everything nowadays.
The attackers in this campaign appear to originate from Indonesia with Kaspersky spotting several artifacts in the malware’s code that were written in Indonesian. The naming conventions used in the bots that control the compromised WhatsApp and Telegram account also suggest the attackers are from that region.
“Stealers can inflict serious financial losses and privacy breaches, and it’s very important for individuals and corporate users to always be on alert and avoid blindly following requests that they get online, even if these come from someone they know,” warns security researcher at GReAT, Fareed Radzi.
The researcher advises that users always download apps from official storefronts such as the Apple App Store, Google Play Store and the Huawei AppGallery. These storefronts go to a large amount of effort to keep users safe by filtering out potential scams and malware before they hit the storefront. With that in mind, we highly recommend that when looking for apps you limit your search to the official app stores supported by your device.
If you do receive an invite that contains an APK, we recommend you speak with the sender directly before downloading it. One phone call can prevent a world of hurt.
