Malicious actors are propagating a recently discovered Android malware called Tria by sending phoney wedding invitations to consumers in Brunei and Malaysia.
According to a report published by the Russian cybersecurity firm Kaspersky, the attackers have been using private and group chats on Telegram and WhatsApp since mid-2024 to distribute the malware, inviting users to weddings and prompting them to install a mobile app in order to get the invitation.
Once the malware is installed, it can collect private information from call logs, emails (including Gmail and Outlook), SMS messages, and messaging apps (such as WhatsApp and WhatsApp Business).
Researchers caution that accounts that depend on email and messaging app authentication could be compromised, passwords can be reset, or online banking can be accessed using the stolen data.
The attackers' main objective seems to be taking complete control of the victims' Telegram and WhatsApp accounts so they can make phoney money requests to connections or propagate malware.
To process stolen data, the hackers employ two Telegram bots: one for managing SMS data and another for gathering text from emails and instant messaging apps.
According to Kaspersky, posts on social media sites like Facebook and X suggest that the campaign has reached a number of Android users in Malaysia, while the precise number of victims is still unknown.
The researchers have not identified a specific organisation responsible for the attack, but evidence implies that the hackers are Indonesian-speaking.
In 2023, Kaspersky discovered a similar effort known as UdangaSteal, in which hackers stole text messages from users in Indonesia, Malaysia, and India and transmitted the data to their servers using a Telegram bot. The attackers utilised a variety of deceptive approaches to trick users into installing malicious files, such as bogus wedding invites, package delivery notifications, annual tax payment reminders, and job offers.
Despite their similarities, experts identify major differences between the two attacks, such as distinct malware code, geographic targets, and attack techniques. While UdangaSteal has always focused on SMS theft, experts say Tria has a larger reach, attacking emails and chat apps as well as SMS conversations.