A newly discovered cyber threat is preying on unsuspecting Android users through a deceptive scheme involving fake wedding invitations. Kaspersky’s Global Research and Analysis Team (GReAT) has identified a malicious campaign that employs social engineering tactics to trick victims into downloading malware disguised as an invitation. Dubbed “Tria Stealer,” this malicious application grants attackers extensive access to victims’ sensitive information, including personal messages, emails, and even online banking credentials.
Tria Stealer is spread through APK installation files, which are shared via personal and group chats on platforms like WhatsApp and Telegram. These files bypass official app stores such as Google Play, making it easier for cybercriminals to distribute malware undetected. The attackers lure victims with an invitation to a fake wedding, instructing them to install the APK file to view the event details.
Once installed, the malware requests permissions that allow it to:
- Read and receive text messages
- Monitor phone status, call logs, and network activity
- Display system-level alerts
- Run in the background and launch automatically after a reboot
By granting these permissions, victims unknowingly hand over control of their device to the attackers. The malware masquerades as a legitimate system settings app, using a gear icon to avoid suspicion. Furthermore, users are prompted to enter their phone number, which is then transmitted to the attackers along with their device’s brand and model information. The stolen data is sent to the cybercriminals via Telegram bots.
Beyond stealing personal data, Tria Stealer enables attackers to hijack WhatsApp and Telegram accounts, using them to send fraudulent messages to the victim’s contacts. The goal is to solicit money from friends or family members under false pretenses. Additionally, by intercepting SMS messages, attackers can gain access to various online services, including banking apps, by capturing one-time passwords (OTPs) sent for authentication.
Kaspersky’s investigation suggests that Indonesian-speaking threat actors are behind the Tria Stealer campaign. This conclusion is based on Indonesian language artifacts found in the malware code and the naming patterns of the Telegram bots used for data transmission.
How to Stay Protected
To safeguard against threats like Tria Stealer, Kaspersky recommends the following precautions:
- Download apps only from official sources such as the Google Play Store, Apple App Store, or Amazon Appstore. While no platform is entirely risk-free, official stores implement security checks to filter out malicious applications.
- Be cautious with app permissions. Before granting any permissions, carefully evaluate whether the app truly requires them. High-risk permissions, such as access to text messages, should be scrutinized.
- Use a reliable security solution. A strong antivirus program can detect and block malicious apps before they compromise your device.
Cybercriminals are continuously refining their tactics, making it crucial for users to stay vigilant against evolving threats. By exercising caution and following cybersecurity best practices, individuals and organizations can reduce the risk of falling victim to malicious campaigns like Tria Stealer.
Main Image: Times of India