Tria Stealer Targeting Android Users Through Wedding Invitation Lure Campaign
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Cyble Research and Intelligence Labs (CRIL) came across an article wherein a security researcher discovered a malicious Android campaign that has been leveraging wedding invitations as a lure to social-engineer victims into installing a malicious APK, identified as “Tria Stealer” based on unique strings found in campaign samples. The primary targets of this campaign are users in Malaysia and Brunei, with Malaysian users being the most affected.
Evidence suggests that the campaign is likely operated by an Indonesian-speaking threat actor, as several artifacts in the malware contain Indonesian-language strings, including unique embedded text and the naming pattern of Telegram bots used for hosting Command and Control (C&C) servers.
Further investigation uncovered multiple posts by Malaysian Android users on social media platforms like X and Facebook, discussing a scam campaign involving malicious APKs and WhatsApp hijacking. Evidence indicates that this campaign has been active since March 2024, with the threat actor consistently using a wedding invitation theme to deceive victims into installing the malicious app. Two versions of the malicious APK have been identified—the first detected in March 2024 and the second in August 2024. The newer variant features additional functionality and revised wording in messages sent to Telegram bots.
The malware was named “Tria Stealer” based on the username found in all APK samples, which appears in a message sent to the C&C server upon initial execution: “Having any issues? Contact me at ‘xxps://t[.]me/Mr_tria’.” This suggests that “Mr Tria” may be the designated support contact or the individual responsible for the campaign.
The threat actor exploits stolen messages and emails to obtain security codes, allowing them to hijack victims’ WhatsApp and Telegram accounts. These compromised accounts are then used to distribute the malicious APK to the victims’ contacts. Additionally, the hijacked WhatsApp and Telegram accounts are leveraged for impersonation, with the attacker posing as the legitimate account owners to deceive contacts into transferring money to the actor’s bank accounts.
Beyond WhatsApp and Telegram, the threat actor has also taken control of victims’ accounts on other services by requesting transaction authorization codes (TACs) and one-time passwords (OTPs). These security codes intercepted from text messages enable unauthorized access to various platforms, further expanding the scope of the attack.
Technical Detail
When the malicious Android app is installed, it determines whether it is being launched for the first time using the IntroActivity function, which is triggered only during the initial run. It also checks the Boolean value associated with the firstStart key in the SharedPreferences object. If the key is absent, the default value true is returned, indicating a first-time launch.
In this case, the malware requests the android.permission.RECEIVE_SMS permission to access and read incoming SMS messages. To appear legitimate, the app disguises itself as a system settings application, using a gear icon to deceive the victim.
Once the required permission is granted, the user is presented with a custom dialog prompting them to enter their phone number.
After the victim enters their phone number and clicks “Next,” the app collects this number along with the device’s brand and model, assembling the data into a string for later transmission to a C&C server. A message containing Mr. Tria’s contact information is also appended to this string.
The malware then utilizes the SendMessage Telegram API to transmit the collected information to one of the threat actor’s Telegram bots, as illustrated below.
The malicious APK employs the BroadcastReceiver function to monitor incoming messages and call activities through two components: SMSMonitor and CallMonitor. SMSMonitor captures SMS details, including message content, sender’s phone number, and SIM slot information. CallMonitor tracks incoming call activities, extracting details such as the caller’s phone number and SIM slot for dual SIM devices.
Additionally, the malware gathers other device information, including the current battery level, which can be accessed through either of these components. All collected data is then processed and compiled into a single message before being sent to the Telegram bot.
The threat actor primarily uses this activity to hijack WhatsApp, Telegram, and other accounts by intercepting SMS messages containing OTP or TAC codes.
In the newer variant of Tria Stealer, the threat actor introduced an additional feature to steal personal messages and emails from the packages of several apps, including:
WhatsApp (com.whatsapp)
WhatsApp Business (com.whatsapp.w4b)
Google Messages (com.google.android.apps.messaging)
Samsung Messages (com.samsung.android.messaging)
Default MMS (com.android.mms)
Gmail (com.google.android.gm)
Outlook (com.microsoft.office.outlook)
Yahoo Mail (com.yahoo.mobile.client.android.mail)
The threat actor intercepts messages by capturing notifications from these apps. The onNotificationPosted function in a custom class called AppNotificationListener is triggered whenever a new notification is posted by one of the targeted apps.
When a notification is received, the malware retrieves the app name corresponding to the packageName property of the notification. If the app is unrecognized, it is labeled as "Unknown App." The malware then extracts the notification content and combines it with the app and contact names, device information (brand and model), and the target phone number into a formatted string. This string is subsequently sent as a message to the Telegram bot.
The threat actor utilizes separate Telegram bots to manage different types of stolen data. One bot is designated for collecting texts from messaging apps and emails, while another is responsible for handling SMS data. Consequently, newer malware variants include two distinct Telegram bot token IDs.
UdangaSteal Malware Campaign
In 2023 and early 2024, a similar campaign was observed using UdangaSteal malware, primarily targeting victims in Indonesia, Malaysia, and India to steal SMS data and exfiltrate it to Telegram bots hosted as a C&C server. This campaign heavily focused on Indonesian and Indian victims and employed various lure themes, including:
Wedding invitations
Parcel delivery
Credit card transactions
Government job offers
Religious events
Annual tax charges
Customer support
Electricity bills
Government initiatives for farmers
Vehicle registration systems for Indian users
However, the current Tria Stealer campaign is not attributed to the same threat actor behind UdangaSteal. The differences in APK code, Telegram bot naming patterns, and victimology suggest they are separate operations. Additionally, Tria Stealer has evolved beyond SMS theft, now targeting personal communications, including data from WhatsApp and email apps. In contrast, UdangaSteal maintained the same tactics from its emergence in 2023 through late 2024 without significant changes.
Recommendation
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
● Download and install software only from official app stores like Google Play Store or the Apple App Store.
● Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
● Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials on an untrusted source.
● Use strong passwords and enforce Multi-Factor Authentication wherever possible.
● Enable biometric security features such as fingerprint or facial recognition to unlock the mobile device wherever possible.
● Be wary of opening any links received via SMS or emails delivered to your phone.
● Ensure that Google Play Protect is enabled on Android devices.
● Be careful while enabling any permissions.
● Keep your devices, operating systems, and applications up to date with the latest software.
Conclusion
The Tria Stealer campaign remains active, expanding its reach to more victims in Malaysia and Brunei. Phishing techniques are used to distribute the APK, enabling the attackers to spy on victims’ messages and emails. Stolen data is leveraged to obtain security codes for hijacking WhatsApp and Telegram accounts, which are then exploited to distribute the malicious APK to the victims' contacts. Access to security codes may also allow attackers to compromise other online accounts, further extending their malicious activities.
With medium confidence, the threat actor will likely continue targeting users in Malaysia and Brunei, seeking to hijack WhatsApp and Telegram accounts while expanding control over other online services to facilitate further malicious operations.
