Since mid-2024, cybersecurity researchers have been monitoring a classy Android malware marketing campaign dubbed “Tria Stealer,” which exploits pretend marriage ceremony invites to lure customers into putting in malicious apps (APK recordsdata).
Malware Marketing campaign Overview
The marketing campaign primarily targets customers in Malaysia and Brunei, with Malaysia experiencing essentially the most vital influence.
Evaluation signifies the operation originates from an Indonesian-speaking menace actor, supported by embedded Indonesian language strings and naming conventions within the malware’s structure.
Detected underneath the identifier HEUR:Trojan-Spy.AndroidOS.Agent.*, this malware has been flagged by Kaspersky’s safety options.
Tria Stealer harvests delicate knowledge, together with SMS messages, name logs, emails, and private communications from apps like WhatsApp and Gmail.
The stolen knowledge is transmitted to the attacker utilizing Telegram bots, enabling account takeovers and fraudulent cash switch requests concentrating on victims’ contacts.
The marketing campaign makes use of customized Telegram API bots to handle command-and-control (C2) communications.
Technical Insights into Tria Stealer Performance
The malicious APK distribution theme revolves round attractive customers with seemingly reliable marriage ceremony invites shared through compromised WhatsApp and Telegram accounts.
Upon set up, the malware disguises itself as a system settings app, requesting permissions to entry SMS, name logs, and notifications.
Throughout its preliminary execution, it gathers system data, telephone numbers, and private app-related knowledge, transmitting them to the attacker’s Telegram bots.
Tria Stealer incorporates superior options, together with notification interception, which permits it to extract and exfiltrate messages from apps like WhatsApp, Outlook, and Gmail.
This functionality helps one-time password (OTP) and transaction authorization code (TAC) theft, important for the attackers to hijack accounts linked to messaging and monetary companies.
Moreover, the malware screens SMS and name actions utilizing customized elements like SMSMonitor and CallMonitor to gather message content material, sender data, and name particulars.
Later variants of Tria Stealer enhanced their performance, including capabilities to intercept notifications from numerous apps and intercept not simply SMS but in addition emails, private messages, and call data.
The attackers intelligently segregate stolen data utilizing a number of Telegram bots for particular knowledge units, equivalent to SMS or app notifications.
The marketing campaign is designed to use messaging app accounts for 2 principal aims: propagating the malware additional and impersonating customers to defraud their contacts.
Victims’ stolen knowledge might also allow entry to banking companies, e-commerce accounts, and different platforms reliant on SMS or e mail for verification.
Not like earlier malware campaigns like UdangaSteal, which focused comparable areas, Tria Stealer showcases distinct traits, together with extra subtle knowledge theft and account compromise mechanisms.
Attribution evaluation strongly suggests Indonesian origins, with malware strings and bot names pointing to this conclusion.
Victimology traits reveal no particular concentrating on of people however a broad give attention to customers in Malaysia and Brunei.
Proof signifies the marketing campaign has been lively since March 2024 and continues in January 2025.
Based on the Safe Record, Tria Stealer’s evolving techniques sign a persistent menace to cellular customers in Southeast Asia.
By leveraging social engineering and phishing strategies, attackers exploit human belief and system vulnerabilities.
Customers are strongly suggested to keep away from putting in apps from unverified sources, stay cautious of unsolicited messages, and safeguard their units with dependable safety options.
Cybersecurity professionals emphasize the significance of detecting and mitigating such threats early.
Organizations and people should stay vigilant as this marketing campaign highlights the rising sophistication of cellular malware assaults.
Are you from SOC/DFIR Groups? – Analyse Malware Recordsdata & Hyperlinks with ANY.RUN Sandox -> Attempt for Free