New Android Malware Exploiting Wedding Invitations to Steal Victims WhatsApp Messages

Since mid-2024, cybersecurity researchers have been monitoring a sophisticated Android malware campaign dubbed “Tria Stealer,” which exploits fake wedding invitations to lure users into installing malicious apps (APK files).

Malware Campaign Overview

The campaign primarily targets users in Malaysia and Brunei, with Malaysia experiencing the most significant impact.

Analysis indicates the operation originates from an Indonesian-speaking threat actor, supported by embedded Indonesian language strings and naming conventions in the malware’s architecture.

Detected under the identifier HEUR:Trojan-Spy.AndroidOS.Agent.*, this malware has been flagged by Kaspersky’s security solutions.

Tria Stealer harvests sensitive data, including SMS messages, call logs, emails, and personal communications from apps like WhatsApp and Gmail.

The stolen data is transmitted to the attacker using Telegram bots, enabling account takeovers and fraudulent money transfer requests targeting victims’ contacts.

The campaign uses custom Telegram API bots to manage command-and-control (C2) communications.

Technical Insights into Tria Stealer Functionality

The malicious APK distribution theme revolves around enticing users with seemingly legitimate wedding invitations shared via compromised WhatsApp and Telegram accounts.

Upon installation, the malware disguises itself as a system settings app, requesting permissions to access SMS, call logs, and notifications.

During its initial execution, it gathers device information, phone numbers, and personal app-related data, transmitting them to the attacker’s Telegram bots.

Tria Stealer incorporates advanced features, including notification interception, which allows it to extract and exfiltrate messages from apps like WhatsApp, Outlook, and Gmail.

This capability supports one-time password (OTP) and transaction authorization code (TAC) theft, essential for the attackers to hijack accounts linked to messaging and financial services.

Additionally, the malware monitors SMS and call activities using custom components like SMSMonitor and CallMonitor to collect message content, sender information, and call details.

Later variants of Tria Stealer enhanced their functionality, adding capabilities to intercept notifications from various apps and intercept not just SMS but also emails, personal messages, and contact information.

The attackers intelligently segregate stolen information using multiple Telegram bots for specific data sets, such as SMS or app notifications.

The campaign is designed to exploit messaging app accounts for two main objectives: propagating the malware further and impersonating users to defraud their contacts.

Victims’ stolen data may also enable access to banking services, e-commerce accounts, and other platforms reliant on SMS or email for verification.

Unlike earlier malware campaigns like UdangaSteal, which targeted similar regions, Tria Stealer showcases distinct characteristics, including more sophisticated data theft and account compromise mechanisms.

Attribution analysis strongly suggests Indonesian origins, with malware strings and bot names pointing to this conclusion.

Victimology trends reveal no specific targeting of individuals but a broad focus on users in Malaysia and Brunei.

Evidence indicates the campaign has been active since March 2024 and continues in January 2025.

According to the Secure List, Tria Stealer’s evolving tactics signal a persistent threat to mobile users in Southeast Asia.

By leveraging social engineering and phishing techniques, attackers exploit human trust and device vulnerabilities.

Users are strongly advised to avoid installing apps from unverified sources, remain cautious of unsolicited messages, and safeguard their devices with reliable security solutions.

Cybersecurity professionals emphasize the importance of detecting and mitigating such threats early.

Organizations and individuals must remain vigilant as this campaign highlights the growing sophistication of mobile malware attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free