Risk:
| high |
Damage: |
|
Platform(s): |
Android OS |
Advisory ID: |
|
Version: |
|
CVE: |
|
Published: |
|
Summary
ngCERT’s attention has been drawn to a sophisticated android malware campaign tagged Tria Stealer. The trojan exploits android devices to harvest SMS data, as well as hijack WhatsApp and Telegram accounts. Reportedly, Tria Stealer is spread by luring unsuspecting persons into downloading a malicious Android Package Kit (APK), through fake wedding or event invitations sent on mobile messaging apps. Once installed, the trojan is capable of stealing sensitive data, and exploits the same for account hijacking as well as financial fraud. Consequently, android users and are advised to take proactive steps to safeguard their systems against Tria Stealer infiltration.
Description & Consequence
Tria Stealer malware spreads via fake wedding invitations on Telegram and WhatsApp, tricking users into downloading malicious APK files. Once installed, it masquerades as a system app and requests access to SMS, call logs, and app notifications. The malware then monitors and exfiltrates data from messages and emails to a C2 server on Telegram bots. It intercepts OTPs to hijack accounts and uses compromised accounts for scams and distribution of the malware.
Once activated, Tria Stealer employs sophisticated evasion techniques to avoid detection by security software and researchers. It uses encryption and obfuscation methods to conceal its activities and maintains persistence by reactivating itself every time the device is restarted. In addition to stealing sensitive information, the malware can also manipulate the infected device's settings and install additional payloads, further compromising the user's privacy and security.
To protect against Tria Stealer, users should be vigilant about the sources of their downloads and verify the authenticity of any unexpected invitations or links received through messaging platforms. Installing reputable antivirus software and regularly updating it can help detect and mitigate threats. Users should also enable two-factor authentication for their accounts and refrain from granting unnecessary permissions to apps, especially those not obtained from official app stores
Compromised of android systems by Tria Stealer malware could lead to the following:
- Account takeover of messaging platforms.
- Impersonation of victim for fraudulent money transfer requests.
- Compromise of banking and financial applications.
- Identity theft and credential harvesting.
Solution
The following are recommended:
1. Individuals should:
- Download apps directly from trusted sources like the Google Play Store.
- Be wary of messages requesting app installations, even if they appear to come from friends or trusted contacts.
- Use 2FA wherever possible to secure your accounts.
- Install, utilize and updated mobile antivirus tools to detect and block malware.
2. Organizations should:
- Implement awareness campaigns about suspicious app installation requests.
- Highlight the dangers of clicking on links in messaging platforms, even from known contacts.
- Deploy mobile threat detection solutions for critical personnel.
- Implement Mobile Device Management (MDM) policies where applicable.
- Deploy network monitoring for suspicious outbound connections to known C2 domains.
Reference
Revision
