Hackers use fake wedding invitations to spread Android malware in Southeast Asia

Avatar

Cybercriminals are using fake wedding invitations targeting users in Malaysia and Brunei to distribute a newly discovered Android malware called Tria.

Since mid-2024, the attackers have been spreading the malware through private and group chats on Telegram and WhatsApp, inviting users to weddings and prompting them to install a mobile app to receive the invitation, according to a report published Thursday by Russian cybersecurity firm Kaspersky.

Once installed, the malware steals sensitive data from SMS messages, emails, including Gmail and Outlook, call logs, and messaging apps like WhatsApp and WhatsApp Business.

Researchers warn that the stolen information could be used to access online banking, reset passwords, or hijack accounts that rely on email and messaging app authentication.

The primary goal of the attackers appears to be gaining full control of victims’ WhatsApp and Telegram accounts, allowing them to spread malware further or send fraudulent money requests to contacts.

The hackers use two Telegram bots to process stolen data — one for collecting text from instant messaging applications and emails and another for handling SMS data.

While the exact number of victims remains unclear, posts on social media platforms like X and Facebook suggest the campaign has reached a number of Android users in Malaysia, according to Kaspersky.

Researchers have not attributed the attack to a specific group, but evidence suggests the hackers are Indonesian-speaking.

In 2023, Kaspersky uncovered a similar campaign called UdangaSteal, in which hackers stole text messages from users in Indonesia, Malaysia, and India, transmitting the data to their servers via a Telegram bot. The attackers used various tactics to trick victims into installing malicious files, including fake wedding invitations, package delivery notifications, annual tax payment reminders, and job offers.

Despite the similarities, researchers note key differences between the two campaigns, including distinct malware code, varying geographic targets, and different attack tactics. While UdangaSteal has maintained a consistent focus on SMS theft, Tria has a broader reach, targeting emails and messaging apps in addition to SMS communications, researchers said.

News BriefsNewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Pakistan-based cybercrime network dismantled by US, Dutch authorities

Next Post

Tata Technologies reports ransomware attack to Indian stock exchange

Related Posts

CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks

Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel. "'Fast flux' is a technique used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS)
Avatar
Read More

Indian Court Orders Action to Block Proton Mail Over AI Deepfake Abuse Allegations

A high court in the Indian state of Karnataka has ordered the blocking of end-to-end encrypted email provider Proton Mail across the country. The High Court of Karnataka, on April 29, said the ruling was in response to a legal complaint filed by M Moser Design Associated India Pvt Ltd in January 2025. The complaint alleged its staff had received e-mails containing obscene, abusive
Avatar
Read More