Disguised as a wedding invitation: WhatsApp messages with malware installers
In a current malware campaign, the perpetrators are sending WhatsApp messages with the installation package – disguised as wedding invitations.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
In a current malware campaign, the perpetrators are sending WhatsApp messages containing malware. Anyone who executes the software posing as a wedding invitation gives the attackers access to sensitive information and other smartphone functions, among other things.
(Image:Â Kaspersky)
In a blog post, Kaspersky's malware researchers analyze the malware campaign. The campaign is aimed at users in the Sultanate of Brunei and Malaysia, but the success of the scam could also serve as an incentive for similar attacks in other regions of the world, including Germany, Austria, and Switzerland. Users should also remain vigilant when it comes to other topics; the cyber criminals could also focus on birthdays, other religious events and similar occasions.
Bait: fake wedding invitations
The attackers use an alleged invitation to a wedding as a hook, apologizing for the invitation to such an event via WhatsApp. The time and place of the celebration can be found in the attached file – an .apk file, i.e., an installer for Android. However, it contains malware, which is currently Infostealer.
Videos by heise
Kaspersky's malware analysts have discovered two variants. They have named the malware family “Tria”. It scours text and email messages, reads call logs and message logs and sends them to command-and-control servers via several Telegram bots. With the captured data, the perpetrators crack the Telegram and WhatsApp access data as well as other accounts – According to the report, there have been an increasing number of complaints on social networks from those affected whose WhatsApp accounts have been taken over or who have been sent suspicious .apk files via WhatsApp or other messenger apps.
The malicious actors then send messages to the victims' contacts asking for money. However, it is also conceivable that the attackers can access the victims' online accounts directly, as they can tap into OTP codes as a 2FA protection measure. The perpetrators hide the malware behind a cogwheel icon, imitating a system program that requires extensive authorizations.
Kaspersky advises users not to reply to strangers in messenger apps, not to open .apk files from untrusted sources, not to grant apps more permissions than they actually need and to harden access to messenger apps and social networks, for example by making the appropriate privacy settings. According to Kaspersky, relying on two-factor authentication (2FA) via text messages is not effective here, as the attackers have access to the cell phone and thus OTP messages. However, MFA using Authenticator is probably helpful.
(dmk)
