Beware! wedding invite on mobile can empty your a/c

Nagpur: That seemingly harmless wedding invitation popping up on your mobile phone may be far more dangerous than it appears. Cyber criminals have now found a deeply deceptive way to exploit human trust — circulating wedding invitations in APK format to infect unsuspecting Android users. Unlike conventional e-invites that arrive as images, videos or PDFs, these files prompt recipients to install an application, opening the door to silent and extensive cyber intrusion.Several residents in Nagpur have reported suspicious activity, rapid data depletion and unauthorised access to bank accounts after opening such invites. What makes the scam particularly effective is its emotional hook — wedding cards trigger curiosity and warmth, lowering digital caution and turning a simple tap into a costly mistake.Speaking to TOI, cyber expert Anup Dubey explained APK-based wedding invitations are emerging as one of the most dangerous malware delivery mechanisms on Android devices. "Instead of a standard invite, victims receive an APK file disguised as a wedding card, often named WeddingCard.apk or Shaadi_Invite.apk. It also nudges users to manually install the file," he said.Once installed, the application appears harmless but quietly injects malicious code that gives attackers near-total control over the device. Since the user voluntarily installs the APK, Android's default security safeguards are effectively bypassed. Dubey noted these malicious apps cleverly request permissions that seem routine — access to SMS, contacts, call logs, storage, overlay permissions and, most critically, accessibility services."The accessibility permission becomes the attacker's primary weapon," Dubey warned. "It allows them to read on-screen content, remotely click buttons, monitor app usage and intercept UPI transactions in real time." Most victims unknowingly grant these permissions, assuming it is "just a wedding card."After installation, the malware hides its icon, runs silently in the background and establishes a connection with a command-and-control server. From there, it begins harvesting sensitive data, even screen recordings during financial transactions. The phone often continues to function normally while money is siphoned off without raising immediate suspicion.Dubey added that ransomware generally appears at a later stage, following a clear pattern: initial infection, data theft and financial fraud, secondary payload downloads, and finally phone locking or data encryption accompanied by a ransom demand. "Victims usually realise something is wrong only after their money is gone or the phone becomes unusable," he said.Tracing such crimes is challenging due to offshore servers, proxy routing, disposable domains and cryptocurrency payments. However, Dubey pointed out that many Indian cases involve domestic handlers using international infrastructure, with masterminds sometimes operating across borders.DCP Lohit Matani, who is also in-charge of Nagpur cyber cell, confirmed that multiple such cases have surfaced in the city. "Cyberattacks are conceptually the same — only the method of accessing information keeps changing. Whenever we receive a complaint, the earlier it comes in, the better," he told TOI.Matani explained that once a complaint is registered, cyber experts first ensure the malware embedded in the phone is completely removed. "After that, financial trail is tracked and efforts are made to recover the lost amount," he said, adding delays significantly reduce the chances of recovery.