Cybersecurity researchers have uncovered a disturbing malware campaign targeting Android users in Malaysia and Brunei.
Dubbed “Tria Stealer,” this Trojan spyware exploits wedding invitation-themed messages to lure victims into downloading a malicious APK (Android Package) file.
First detected in early 2024, the malware has been linked to an Indonesian-speaking threat actor, based on linguistic artifacts embedded in the malware.
This active campaign has seen significant activity extending into early 2025 and poses severe threats to personal data and account security.
Malware Capabilities
The Tria Stealer malware showcases a sophisticated approach to data exfiltration, leveraging Telegram bots for command-and-control (C2) operations.
Once installed on a victim’s device, the malware gains access to permissions for reading SMS, call logs, app messages, and emails from platforms such as WhatsApp, Gmail, and Outlook.
It then siphons this sensitive data to designated Telegram bots for further exploitation.
A standout tactic utilized by the threat actor is account takeover. Stolen SMS data, which often contains one-time passwords (OTPs) or transaction authorization codes (TACs), is used to hijack accounts such as WhatsApp, Telegram, and others.
Once control is established, malicious actors impersonate the victim to propagate the malware further via group chats or direct messages, and in some cases, demand financial transfers from the victim’s contacts.
The campaign employs highly contextualized phishing techniques, with the malicious APK masked as a wedding invitation app.
This APK has undergone multiple updates, with newer versions featuring enhanced functionalities, such as the ability to intercept app notifications to steal email or messaging data.
Execution Tactics
The malware is distributed predominantly through compromised WhatsApp or Telegram accounts.
Victims receive personalized messages containing links to download a fake wedding invitation app.
Upon installation, the app disguises itself with an innocuous gear icon, resembling a legitimate settings application.
During the first execution, the malware requests SMS and other permissions, presenting itself as trustworthy.
It also collects vital device information, including phone numbers and model details, sending this data directly to a Telegram bot used by the attackers.
Once permissions are granted, the malware operates in the background, employing broadcast receivers to monitor incoming SMS and call logs continuously.
The Tria Stealer operation appears organized and deliberate. Indicators such as the use of Indonesian in embedded strings point to an Indonesian-speaking actor.
While the campaign bears some resemblance to the earlier “UdangaSteal” malware, targeting similar geographic regions, Secure List researchers have noted distinct differences in code and tactics, ruling out direct attribution to the same group.
Tria Stealer represents a significant threat to Android users in Southeast Asia, demonstrating how social engineering, combined with advanced data exfiltration techniques, can wreak havoc on personal and financial security.
The campaign remains active as of January 2025, with no signs of scaling back.
To mitigate such threats, experts strongly advise against installing apps from unverified sources and recommend using robust mobile security solutions capable of detecting evolving spyware like Tria Stealer.
