Introduction
Since mid-2024, we’ve observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app (APK), which we have named “Tria Stealer” after unique strings found in campaign samples. The primary targets of the campaign are users in Malaysia and Brunei, with Malaysia being the most affected country.
Our investigation suggests that this campaign is likely operated by an Indonesian-speaking threat actor, as we found artifacts written in the Indonesian language, namely several unique strings embedded in the malware and the naming pattern of the Telegram bots that are used for hosting C2 servers.
Our findings, in a nutshell, are as follows:
Tria Stealer collects victims’ SMS data, tracks call logs, messages (for example, from WhatsApp and WhatsApp Business), and email data (for example, Gmail and Outlook mailboxes).
Tria Stealer exfiltrates the data by sending it to various Telegram bots using the Telegram API for communication.
The threat actor then exploits this data to hijack personal messaging accounts, impersonate account owners to request money transfers from the victims’ contacts, and compromise accounts with other services.
Kaspersky products detect this threat as
HEUR:Trojan-Spy.AndroidOS.Agent.*.Technical details
Background
We detected several APK samples tagged as
Trojan-Spy.AndroidOS.Agent and originating from Malaysia and Brunei in our Kaspersky Security Network (KSN) telemetry and on third-party multi-antivirus platforms.Further investigation revealed multiple posts by Malaysian Android users on social media platforms like X and Facebook discussing a scam campaign involving malicious APKs and WhatsApp hijacking. Our analysis indicates that this campaign has been ongoing since March 2024, with the threat actor consistently using a wedding invitation theme to lure victims into installing the malicious app. We di ..
Support the originator by clicking the read the rest link below.
