Kaspersky Global Research and Analysis Team detected a new malicious campaign targeting Android users. It uses fake wedding invitations to lure victims into installing a malicious application that was labelled by Kaspersky as the Tria Stealer.
It forwards content from text messages and emails, along with other data to the attackers, hijacks device owners’ WhatsApp and Telegram accounts to ask for money from friends or family.
With the interception of SMS messages, attackers also have the opportunity to gain access to accounts in different apps or services (for example, online banking) by requesting OTP login codes from these services and reading them in the intercepted SMS messages.
On Android devices it is possible for users to install apps directly from installation files, which come in the APK file format, bypassing official app stores like Google Play. While this can come in handy in some scenarios, it also poses risks and is sometimes used by cybercriminals to spread malware.
Specifically, the Tria Stealer is distributed as an APK installation file via personal and group chats on Telegram and WhatsApp, using social engineering to invite the recipients to an alleged wedding and asking them to install the APK to view the invitation card.
After it is installed, the malware requests permissions which allow it to access sensitive data and functions, such as reading and receiving text messages, monitoring phone status, call logs, and network activity, as well as performing actions like displaying system-level alerts, running in the background, and starting automatically after device reboot.
Collectively, these permissions grant significant control over device operations and the attackers can intercept victim notifications to steal messages and emails. The application mimics a system settings app with a gear icon to trick the victim into thinking that the requests and the app itself are legitimate.
The user is also prompted to enter their phone number, which is sent to the attackers along with the device’s brand and model. All stolen data is transferred to the attackers via Telegram bots.
“This malicious application has been named ‘Tria Stealer’ by Kaspersky based on unique text strings found in the campaign’s samples,” comments Fareed Radzi, security researcher with Kaspersky GReAT. “Our investigation suggests that this stealer is likely operated by Indonesian-speaking threat actors, as we found artifacts written in Indonesian, namely several unique strings embedded in the malware and the naming pattern of the Telegram bots that are used by the attackers.
“Stealers can inflict serious financial losses and privacy breaches, and it’s very important for individuals and corporate users to always be on alert and avoid blindly following requests that they get online, even if these come from someone they know.”