Urgent Alert: “Free Wedding Invite” Scam Targets Senior Citizens, Steals Sensitive Data

A disturbing new scam is exploiting the trust and warmth of senior citizens. Scammers are posing as wedding organizers and tricking victims into installing a dangerous app disguised as a “free wedding invite.” This insidious malware is specifically engineered to steal text messages – the gateway to your personal and financial world. A recent report by F-Secure, a renowned cybersecurity firm, highlights this concerning trend.

Original WhatsApp messaged received as per a Facebook post | Image: F-Secure

The “free wedding invite” scam operates through social media chats, where seniors receive messages containing what appears to be a wedding invitation. Curiosity and the promise of more details about the event lead victims to install a malicious APK file, believing it to provide further information. Unbeknownst to them, this action installs malware on their devices, compromising their personal information, particularly SMS data. This data is then transmitted to a command and control (C2) server operated via a Telegram bot, showcasing a high level of sophistication and stealth in data exfiltration.

Elderly scams are not a new phenomenon, but their evolution continues to pose significant risks. These scams exploit the life savings, retirement funds, and generally lower technical knowledge of senior citizens, making them lucrative targets for fraudsters. From romance scams to the more novel live-stream funeral scams, the tactics employed are diverse and constantly evolving. The “wedding invite” scam adds to this list, demonstrating the creativity of attackers in finding new ways to exploit vulnerabilities.

AndroidManifest.xml reveals some noteworthy details

F-Secure’s in-depth analysis reveals several concerning technical details about the malware. It utilizes dangerous permissions such as READ_SMS and SEND_SMS, enabling it to access and send text messages without the user’s consent. Additionally, the malware cleverly remains hidden from the app launcher, avoiding detection and prolonging its presence on the device. The lack of a launcher activity category in the AndroidManifest.xml file and the employment of methods to stay hidden at runtime are clear indicators of the malicious intent behind the app.

The malware’s design allows it to launch via a third-party app, requesting permissions related to phone calls and SMS to initiate its spying activities. Its primary function is to spy on incoming SMS messages, a capability deduced from both the permissions it requests and its interaction with the Telegram C2 server. The code analysis revealed how the malware collects device information and communicates with a Telegram bot, sending back stolen data. This not only jeopardizes personal data but also opens the door to more severe attacks, such as banking session hijackings and the sale of stolen credentials.

The choice of Telegram as a C2 server platform offers several advantages to attackers. The traffic generated by the malware appears legitimate, potentially bypassing some security systems. Moreover, Telegram’s end-to-end encryption provides a secure channel for attackers to receive stolen data, complicating efforts to trace and mitigate the threat.

The report from F-Secure on the “free wedding invite” scam is a stark reminder of the ever-evolving landscape of cyber threats. As cybercriminals become more inventive, it’s imperative for individuals, especially seniors, to exercise caution with digital communications. Security providers and the cybersecurity community must also stay ahead of these threats, continuously updating their strategies to protect the vulnerable.