The ongoing “free wedding invite” scam is one of several innovative campaigns aimed at the senior population.
Through social media chats like WhatsApp, fraudsters use deceptive tactics, most often involving fake wedding invitations.
It communicates with its victims over WhatsApp and tricking them into installing an APK that finally sends user data to a C2 server that is hosted on Telegram.
“A malicious APK pretending to be a fake wedding invite is then shared with the victim. The victims, believing the APK to contain more details about the free wedding, install the malware and end up being exploited by having their SMS data being stolen”, F-Secure, a cyber security firm shared with Cyber Security News.
Document
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. On the same subject : AI-powered cyber platforms will be vital to tackle federal security initiatives.:
The problem of vulnerability fatigue todayDifference between CVSS-specific vulnerability vs risk-based vulnerabilityEvaluating vulnerabilities based on the business impact/riskAutomation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
Book Your spot
Free-Wedding Invite Scam Via WhatsApp
The “wedding invite” scam, in which the victim receives a wedding invitation from an unidentified individual urging them to open the attached file to obtain further information about the wedding, was a scam that circulated throughout Malaysia.
Particularly, the “attached file” is actually an APK that infects the victim’s phone with malware.
The malware that exists is designed to steal various types of data from users’ phones, including device, build, and SMS information.
Original WhatsApp messages received as per a Facebook post
While researchers analyzed AndroidManifest.xml, there were certain risky permissions in use that enabled text message sending and reading.
Furthermore, the app does not appear in the App Launcher due to the Missing Launcher activity category. There were two broadcast recipients for the same push notification.
Observations in AndroidManifest.xml
“Once the app is installed on the phone, it stays hidden, as deduced from the MainActivity”, researchers said.
“For spyware, the reason behind hiding is to avoid detection and carry on with its objective of stealing user data as long as possible”.
As its C2 server, the malware makes use of a Telegram bot. Telegram bots are applications offered by the Telegram chat network.
It is configured to deliver real-time information and automate user interactions.
The application transfers stolen data to the Telegram bot, making it simple for a hacker to obtain information gathered on Telegram.
Collecting Device Information
Following the exfiltration of this data to the Telegram bot, the malware opens a seemingly secure website, distracting and calming the victim into a false sense of security.
The Safe Website
Although it seems to be a shopping website, its functionality is unrelated to the malware.
On the compromised device, the malware intercepts incoming SMS messages.
This may result in scammers gaining access to several sensitive data, such as personally identifiable information and one-time passwords, among others.
Such information can be misused in many ways, such as selling credentials that have been stolen or taking over banking sessions.
As a result, individuals should use caution when communicating digitally, especially with elders, as the environment of scam threat is always changing.
Security companies must also be knowledgeable about it to safeguard their clients.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Comments are closed.