Tria Stealer: Android Malware Hijacks WhatsApp and Telegram Accounts

A newly uncovered Android malware campaign, dubbed Tria Stealer, has been actively targeting users in Malaysia and Brunei since mid-2024, leveraging wedding invitations as a lure to distribute a malicious APK. The stealthy malware is designed to steal personal messages, hijack WhatsApp and Telegram accounts, and facilitate financial fraud.

According to Kaspersky researchers, the threat actor behind Tria Stealer is likely Indonesian-speaking, based on embedded Indonesian language strings and naming patterns of the Telegram bots used for command-and-control (C2) operations.

“The primary targets of the campaign are users in Malaysia and Brunei, with Malaysia being the most affected country.”

The attack begins with a phishing message—often a fake wedding invitation—sent via WhatsApp or Telegram. Victims are tricked into downloading and installing the malicious APK, believing it to be a legitimate event invitation app.

“The threat actor distributes the APK via personal and group chats in Telegram and WhatsApp, using messages that invite recipients to a wedding and require them to install the APK to view an invitation card.”

Once installed, Tria Stealer requests extensive permissions, including:

✅ Read and receive SMS messages (to intercept OTPs and security codes)
✅ Read phone state and call logs
✅ Access network state and internet permissions
✅ Receive boot completed (to maintain persistence)
✅ Bind notification listener service (to intercept app notifications)

“The app mimics a system settings app with a gear icon to trick the victim into thinking that the request and the app itself are legitimate.”

After installation, the malware executes its primary functions, stealing messages, call logs, emails, and security codes—all sent back to Telegram bots operated by the threat actor.

The main goal of Tria Stealer is to compromise victims’ messaging accounts and use them for further malware distribution and financial fraud.

Step 1: Intercepting Security Codes

Once installed, Tria Stealer listens for incoming SMS messages and notifications containing one-time passwords (OTPs) or transaction authorization codes (TACs).

“The threat actor uses stolen messages and emails to obtain security codes for hijacking their victims’ WhatsApp and Telegram accounts.”

This allows the attacker to log into victims’ messaging accounts, effectively locking them out of their own WhatsApp or Telegram.

Step 2: Using Hijacked Accounts for Social Engineering Scams

After taking control of an account, the threat actor impersonates the victim, sending fraudulent messages to friends, family, or colleagues requesting money transfers.

“The threat actor takes advantage of the hijacked WhatsApp and Telegram accounts to impersonate their owners, asking the targets’ contacts to transfer money to the actor’s bank accounts.”

The fraudulent messages often claim an emergency situation, increasing the likelihood of deceiving contacts into sending money.

Step 3: Expanding the Infection Chain

The compromised WhatsApp and Telegram accounts are also used to send fake wedding invitations to new targets, expanding the malware’s reach.

“Once compromised, these accounts are used for two main purposes: distributing the malicious APK to the targets’ contacts through group chats and direct messages, and impersonating the account owners to request money transfers.”

Unlike basic SMS-stealing malware, Tria Stealer is capable of targeting a wide range of personal data, including email inboxes and app notifications.

🔹 Messaging Apps Targeted:

• WhatsApp & WhatsApp Business
• Google Messages & Samsung Messages
• Default Android MMS

🔹 Email Apps Targeted:

• Gmail
• Outlook
• Yahoo Mail

“The onNotificationPosted function in a custom class named AppNotificationListener is triggered whenever a new notification is posted by one of the targeted apps.”

The malware extracts messages from notifications and sends them to a Telegram bot controlled by the attackers.

“The stolen information could be exploited for other malicious activities, such as accessing online banking accounts, resetting passwords, or compromising services that rely on instant message or email authentication.”

Kaspersky researchers found strong indicators that the Tria Stealer campaign originates from an Indonesian-speaking cybercriminal group.

“We assume with high confidence that the threat actor is Indonesian-speaking, because some strings included in the messages sent to the Telegram bot are written in Indonesian, for example: ‘APLIKASI DI BUKA LAGI’ (translated as ‘APPLICATION REOPENED’).”

Additionally, naming conventions for the Telegram bots used in C2 communications align with Indonesian language patterns.

Kaspersky warns that Tria Stealer’s tactics will likely evolve, making constant vigilance and proactive security measures essential in staying ahead of mobile malware threats.

“The Tria Stealer campaign remains active, targeting more victims in Malaysia and Brunei. The attackers employ phishing techniques to spread the APK, allowing them to spy on victims’ personal messages and emails.”

Related Posts:

• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
• Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
• Sophisticated Campaign Targets Manufacturing Industry with Lumma Stealer and Amadey Bot