A sophisticated Android malware campaign, dubbed Tria Stealer, has targeted users in Malaysia and Brunei since mid-2024, exploiting social engineering tactics hidden within seemingly innocent wedding invitations.
The campaign primarily preys on users by distributing malicious Android Package Kits (APKs) disguised as digital invitation cards shared via WhatsApp and Telegram. This deceptive approach encourages victims to download and install the malware, leading to significant data theft and potential financial fraud.
According to Kaspersky, which has flagged this malware under the identifier HEUR:Trojan-Spy.AndroidOS.Agent.*, the Tria Stealer campaign involves the theft of sensitive data, including SMS messages, call logs, WhatsApp messages, and email communications from services like Gmail. Once the malware is installed, it masquerades as a system settings app, requesting various permissions to intercept communications and access personal information.
Upon first execution, the malware utilizes the IntroActivity function to determine whether it is being launched for the first time. It then solicits permissions, such as android.permission.RECEIVE_SMS, to facilitate its operation. The app’s design is aimed at appearing legitimate, creating trust as it imitates familiar system functionalities with a gear icon.
Once the app is activated, it prompts the victim to enter their phone number—information which is then sent to the attackers’ command-and-control (C2) server using Telegram’s API. This method allows criminals to hijack victims’ accounts and execute fraudulent transactions potentially targeting the victim’s contacts.
The advanced features of Tria Stealer include notifications interception, allowing it to extract and steal messages across various applications. This includes monitoring for one-time passwords (OTPs) and transaction authorization codes (TACs), which are particularly useful for hijacking accounts linked to online banking and e-commerce.
Researchers have detected two iterations of the malware since its emergence. The second version, identified in August 2024, exhibited enhanced communications features, with improvements made to the wording of communications sent through Telegram and additional capabilities to steal app notifications.
The analysis of this malware campaign strongly suggests it operates under the guidance of Indonesian-speaking threat actors. This conclusion is supported by embedded Indonesian-language strings found within the malicious code, such as “APLIKASI DI BUKA LAGI,” which translates to “APPLICATION REOPENED.”
Unlike past malware campaigns, such as UdangaSteal, the Tria Stealer showcases distinct operational tactics and coding styles. This evolution underlines the growing sophistication and invasiveness of mobile malware targeting Southeast Asian users.
The cybercriminals behind Tria Stealer have effectively manipulated human trust, leveraging social engineering techniques to infiltrate personal devices. With increasing numbers of digital scams employing such advanced tactics, the risk to users remains significant.
Experts recommend vigilance among mobile users, emphasizing the need to remain cautious about unsolicited invitations and to refrain from downloading apps from unverified sources. Utilizing reliable security solutions and being alert to potential scams is more important than ever.
On January 31, 2025, cybersecurity organizations continue to monitor the malware campaign due to its persistent threat and evolution since its inception. The Secure List emphasizes the importance of detecting and mitigating threats, urging both individuals and organizations to increase their defenses as mobile malware attacks proliferate.
Victims of Tria Stealer face serious risks, including unauthorized access to messaging accounts and the exploitation of stolen data for financial fraud. Cybersecurity professionals advise users throughout Malaysia and Brunei to adopt stronger security measures to protect personal and financial information from this increasingly sophisticated malware.