Since mid-2024, a new malware campaign targeting Android users has emerged, identified as the Tria stealer. This malware exploits wedding invitation themes to lure victims into installing malicious APK files. The attacks are primarily concentrated in Malaysia and Brunei, with a notable prevalence in Malaysia. Our investigation indicates that the attackers may be Indonesian speakers, as evidenced by certain linguistic artifacts found within the malware.
Overview of Tria stealer’s functionality
The Tria stealer is designed to harvest sensitive information from its victims, including:
- SMS and Email Data: It collects messages from services like Gmail and Outlook.
- Call Logs: The malware reads call histories and messages from applications such as WhatsApp and WhatsApp Business.
- Data Transmission: Collected data is sent to the attackers via Telegram bots using the Telegram API.
The primary objective of this malware is to hijack accounts on messaging platforms, facilitating further scams by soliciting money transfers from the victim’s contacts.
Delivery mechanism
The Tria stealer is distributed through private and group chats on Telegram and WhatsApp. Victims receive wedding invitations that prompt them to install the malicious application to view the invite. This social engineering tactic effectively lowers the victim’s guard, increasing the likelihood of installation.
Initial execution and permissions
Upon installation, Tria checks if it is being launched for the first time. If so, it requests permissions to access SMS messages, disguising itself as a settings application to avoid raising suspicion. The malware collects the user’s phone number and device information before transmitting this data to the command server via Telegram.
Core features
Once operational, Tria employs various permissions to monitor SMS messages, calls, and network states. Notably, newer versions of the malware can intercept notifications from several popular applications, including:
Package Name | Application Name |
---|---|
com.whatsapp | |
com.google.android.apps.messaging | Google Messages |
com.google.android.gm | Gmail |
com.microsoft.office.outlook | Outlook |
This capability allows attackers to extract personal messages and sensitive information directly from notifications.
Account hijacking tactics
The main goal of the Tria stealer is to gain full access to victims’ WhatsApp and Telegram accounts. By intercepting security codes sent via SMS or email, attackers can compromise these accounts and spread the malicious APK further among the victim’s contacts. This not only amplifies their reach but also enables them to solicit funds under false pretenses.
Attribution and ongoing threat
Our analysis suggests that the attackers behind Tria are likely Indonesian speakers due to specific phrases found in their communications. The campaign appears to be ongoing, with continued activity noted into early 2025.