No need to RSVP: a closer look at the Tria stealer campaign

Introduction

Since mid-2024, we’ve observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app (APK), which we have named “Tria Stealer” after unique strings found in campaign samples. The primary targets of the campaign are users in Malaysia and Brunei, with Malaysia being the most affected country.

Our investigation suggests that this campaign is likely operated by an Indonesian-speaking threat actor, as we found artifacts written in the Indonesian language, namely several unique strings embedded in the malware and the naming pattern of the Telegram bots that are used for hosting C2 servers.

Our findings, in a nutshell, are as follows:

• Tria Stealer collects victims’ SMS data, tracks call logs, messages (for example, from WhatsApp and WhatsApp Business), and email data (for example, Gmail and Outlook mailboxes).
• Tria Stealer exfiltrates the data by sending it to various Telegram bots using the Telegram API for communication.
• The threat actor then exploits this data to hijack personal messaging accounts, impersonate account owners to request money transfers from the victims’ contacts, and compromise accounts with other services.

Kaspersky products detect this threat as HEUR:Trojan-Spy.AndroidOS.Agent.*.

Technical details

Background

We detected several APK samples tagged as Trojan-Spy.AndroidOS.Agent and originating from Malaysia and Brunei in our Kaspersky Security Network (KSN) telemetry and on third-party multi-antivirus platforms.

Further investigation revealed multiple posts by Malaysian Android users on social media platforms like X and Facebook discussing a scam campaign involving malicious APKs and WhatsApp hijacking. Our analysis indicates that this campaign has been ongoing since March 2024, with the threat actor consistently using a wedding invitation theme to lure victims into installing the malicious app. We discovered two versions of malicious APKs, with the first one initially detected in March 2024, and the second one in August of the same year. The newer sample was slightly upgraded with additional functionality and adjusted wording in messages that were sent to Telegram bots.

We named this malware “Tria Stealer” after the username found in all APK samples in the message that is sent to the C2 server during the initial execution of the malware, which states, “Having any issues? Contact me at ‘https://t[.]me/Mr_tria'”. This suggests that “Mr Tria” may be the support contact or the individual in charge of the campaign.

Overview of the Tria Stealer campaign

According to our observations, the threat actor uses stolen messages and emails to obtain security codes for hijacking their victims’ WhatsApp and Telegram accounts which will be used for distributing the malicious APK to the victims’ contacts. Not only that, but our researchers also have observed that the threat actor takes advantage of the hijacked WhatsApp and Telegram accounts to impersonate their owners, asking the targets’ contacts to transfer money to the actor’s bank accounts.

Besides WhatsApp and Telegram accounts, the threat actor was also able to take over and sign in to the victims’ accounts with other services by requesting transaction authorization codes (TACs) and one-time passwords (OTPs) for the relevant platforms, and then accessing the security codes in the text messages which they intercepted.

Delivery method

The threat actor distributes the APK via personal and group chats in Telegram and WhatsApp, using messages that invite recipients to a wedding and require them to install the APK to view an invitation card.

Delivery through a compromised WhatsApp account (on the left) and through a compromised Telegram account (on the right)

First-time execution

When the malicious Android app is installed, it checks whether it is being opened for the first time via the IntroActivity function, which is triggered only during the initial app launch. The app also retrieves the Boolean value associated with the key firstStart in the SharedPreferences object. If this key does not exist, the default value true is returned, meaning it’s the first time the app has been opened.

In that case, the malware requests the android.permission.RECEIVE_SMS permission to gain access to read newly received SMS messages. The app mimics a system settings app with a gear icon to trick the victim into thinking that the request and the app itself are legitimate.

Once the user grants the required permission, they are presented with a custom dialog prompting them to enter their phone number.

Custom dialog box prompts for a phone number (new version on the left, earlier version on the right)

After the victim enters their phone number and clicks “Next”, this number along with the device’s brand and model is collected and assembled into a string to be later sent to a C2. A message with Mr. Tria’s contact is also added to this string.

Building the required strings before sending them to the bot

The malware then communicates with the SendMessage Telegram API to send the collected information to one of the threat actor’s Telegram bots, as shown below.

Sending messages to the bot

In most cases we’ve seen in this campaign, the attackers used a different Telegram bot for each sample, although we managed to find a few that shared the same Telegram bot.

Meanwhile, the app updates its SharedPreferences object to record the fact that it has been opened before, preventing it from starting with the IntroActivity function again on subsequent launches.

Main activity

After completing the initial execution flow, or whenever the app is opened again, the main activity of Tria Stealer is invoked using an intent.

During this process, the app requests all permissions declared in its manifest:

1. android.permission.READ_SMS;
2. android.permission.RECEIVE_SMS;
3. android.permission.INTERNET;
4. android.permission.ACCESS_NETWORK_STATE;
5. android.permission.READ_PHONE_STATE;
6. android.permission.READ_CALL_LOG;
7. android.permission.SYSTEM_ALERT_WINDOW;
8. android.permission.WAKE_LOCK;
9. android.permission.RECEIVE_BOOT_COMPLETED;
10. android.permission.FOREGROUND_SERVICE.

These permissions allow the malware to access messaging and calls data and collect other information, such as the network state.

In newer variants, an additional permission, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, is declared in the manifest. This permission is utilized to intercept messages and emails via notifications.

The app then sends a message to the Telegram bot, indicating that the malicious app has been opened by the victim, thus notifying the attackers.

Building strings indicating the malicious app is opened

Moreover, in this main activity, the app runs a background service designed to open the built-in system settings app using an intent. This occurs when the victim opens the app, convincing the victim that they are accessing the legitimate system settings.

SMS and call monitor

In all samples and variants of Tria Stealer, the malicious APK utilizes the BroadcastReceiver function to monitor new incoming messages and call activities through two components named SMSMonitor and CallMonitor. SMSMonitor captures SMS information, including the message content, sender’s phone number, and SIM slot details. CallMonitor tracks incoming call activities and, like SMSMonitor, extracts such details as the caller’s phone number and SIM slot (for dual SIM devices). The malware also collects additional details, including the current battery level of the victim’s phone, which is possible to do via either of these components.

Then the sample processes all collected data and combines it into a single message to send to the Telegram bot.

Building strings for retrieving SMS content

The threat actor uses this activity mostly to take over WhatsApp, Telegram or other accounts by reading SMS messages containing OTP/TAC codes.

App messages and mail stealer

In the newer variant of Tria Stealer, we discovered that the threat actor had developed an additional feature to steal personal messages and emails from the packages related to a number of apps, including the following:

The threat actor steals messages by intercepting notifications from these apps. The onNotificationPosted function in a custom class named AppNotificationListener is triggered whenever a new notification is posted by one of the targeted apps.

onNotificationPosted function

Once a notification is received, the malware retrieves the app name that matches the packageName property of the notification. If the app is not recognized, it is labeled as “Unknown App”. Then the malware proceeds to extract the notification content and combines it with the app and contact names, device information (brand and model), and the target phone number into a formatted string. Once generated, this string is sent as a message to the Telegram bot.

Building a message to be sent to the bot

As suggested by our observations, the threat actor creates and uses separate Telegram bots for handling different types of stolen data. One bot is used for collecting texts from messaging apps and emails, while another handles SMS data. As a result, newer variants of the malware include two Telegram bot token IDs.

Account takeover

The threat actor’s main goal is to get full access to victims’ WhatsApp and Telegram accounts. Once compromised, these accounts are used for two main purposes:

1. Distributing the malicious APK to the targets’ contacts through group chats and direct messages, thereby expanding the pool of victims.
2. Impersonating the account owners to request money transfers from their contacts to the threat actor’s bank account.

Furthermore, we assume that by intercepting SMS messages, the threat actor was also able to sign in to various platforms using the victims’ accounts to inflict further damage.

The stolen information also could be exploited for other malicious activities, such as accessing online banking accounts, resetting passwords for specific platforms, or compromising services that rely on instant message or email authentication.

Attribution

We assume with high confidence that the threat actor is Indonesian-speaking, because some strings included in the messages sent to the Telegram bot are written in Indonesian, for example: “APLIKASI DI BUKA LAGI” (translated as “APPLICATION REOPENED”).

Victimology

In this campaign, we did not observe any specific targeting of individual users. However, the threat actor focuses on individuals in Malaysia and Brunei. We saw a spike in the number of detects in mid-2024, but Tria Stealer continues to be detected in January 2025.

Different campaign from UdangaSteal

In 2023 and early 2024, our researchers observed a very similar campaign under the detection name HEUR:Trojan-Banker.AndroidOS.UdangaSteal, primarily targeting victims in Indonesia, Malaysia and India to steal SMS data and exfiltrate it to Telegram bots hosted as a C2. In this campaign, the threat actor heavily targeted Indonesian and Indian victims and utilized various lure themes, including the following:

• wedding invitations;
• parcel delivery;
• credit card transactions;
• government job offers;
• religious events;
• annual tax charges;
• customer support;
• electricity bills;
• government initiatives for farmers;
• vehicle registration system for Indian users.

However, we are not attributing the current Tria Stealer campaign to the same threat actor associated with UdangaSteal, as the APK code between the two malware campaigns looks different, the Telegram bot naming patterns are also different, and the victimology varies compared to this UdangaSteal malware campaign. Moreover, in the Tria Stealer campaign, the threat actor upgraded their malware to not only steal SMS messages but also to target personal communications, including data from WhatsApp and email apps. This contrasts with the UdangaSteal malware, where the threat actor consistently used the same tactics from its rise in 2023 till late 2024 without any changes.

Conclusion

The Tria Stealer campaign remains active, targeting more victims in Malaysia and Brunei. The attackers employ phishing techniques to spread the APK, allowing them to spy on victims’ personal messages and emails. According to our observations, the threat actor uses the stolen data to obtain security codes for hijacking victims’ WhatsApp and Telegram accounts which will be used for distributing the malicious APK to the targets’ contacts. Accessing security codes also could enable the attackers to take over and log in to victims’ other online accounts to extend the scope of their malicious activities.

We assess with medium confidence that the threat actor will likely continue targeting users in Malaysia and Brunei in the near future, aiming to hijack new WhatsApp and Telegram accounts and take over accounts with other services to pursue malicious activities. To protect against such threats, we strongly advise against installing apps from untrusted sources and recommend using reliable security solutions for mobile devices.

Indicator of Compromises

Tria Stealer

File hashes

Telegram bots

UdangaSteal

File hashes

daa30cd6699c187bb891448b89be1340
162ed054914a8c71ad02126693c40997
9698fa3e7e64272ff79c057e3b8be5d8
9a0147d4c9d6ed3be82825ce35fdb4ee
e4da1332303b93f11d40787f7a79b917
4ff2572a40300c0cce4327ec34259902