Summary: A dangerous new social engineering tactic involves sending “Wedding Invitations” as APK files via WhatsApp and SMS. Once installed, the malware gains Accessibility Service permissions, allowing attackers to intercept banking OTPs and siphon funds in real-time.
Business Impact: This is a critical threat to employees in the GCC and Asia who use mobile banking on personal devices. If an employee’s personal device is compromised, attackers can often bypass 2FA for work applications, leading to organizational account takeovers (ATO).
Why It Happened: Fraudsters are exploiting the emotional hook of the wedding season. By masquerading as an “Invite,” they bypass the user’s typical digital caution. The use of APK files allows the malware to bypass the security checks of official app stores.
Recommended Executive Action: Issue an urgent security awareness bulletin to all staff. Advise them to never install .apk files received via messaging apps and to check for unauthorized “Accessibility” permissions in their Android settings.
Hashtags: #MobileFraud #WhatsAppScam #Malware #SocialEngineering #BankingSecurity #BYOD