Hackers use fake wedding invitations to spread Android malware in Southeast Asia
Cybercriminals are using fake wedding invitations targeting users in Malaysia and Brunei to distribute a newly discovered Android malware called Tria.
Since mid-2024, the attackers have been spreading the malware through private and group chats on Telegram and WhatsApp, inviting users to weddings and prompting them to install a mobile app to receive the invitation, according to a report published Thursday by Russian cybersecurity firm Kaspersky.
Once installed, the malware steals sensitive data from SMS messages, emails, including Gmail and Outlook, call logs, and messaging apps like WhatsApp and WhatsApp Business.
Researchers warn that the stolen information could be used to access online banking, reset passwords, or hijack accounts that rely on email and messaging app authentication.
The primary goal of the attackers appears to be gaining full control of victims’ WhatsApp and Telegram accounts, allowing them to spread malware further or send fraudulent money requests to contacts.
The hackers use two Telegram bots to process stolen data — one for collecting text from instant messaging applications and emails and another for handling SMS data.
While the exact number of victims remains unclear, posts on social media platforms like X and Facebook suggest the campaign has reached a number of Android users in Malaysia, according to Kaspersky.
Researchers have not attributed the attack to a specific group, but evidence suggests the hackers are Indonesian-speaking.
In 2023, Kaspersky uncovered a similar campaign called UdangaSteal, in which hackers stole text messages from users in Indonesia, Malaysia, and India, transmitting the data to their servers via a Telegram bot. The attackers used various tactics to trick victims into installing malicious files, including fake wedding invitations, package delivery notifications, annual tax payment reminders, and job offers.
Despite the similarities, researchers note key differences between the two campaigns, including distinct malware code, varying geographic targets, and different attack tactics. While UdangaSteal has maintained a consistent focus on SMS theft, Tria has a broader reach, targeting emails and messaging apps in addition to SMS communications, researchers said.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.