Tria stealer targets Android users for SMS exfiltration and financial gain

Description

Since mid-2024, a malicious Android campaign dubbed 'Tria Stealer' has been targeting users in Malaysia and Brunei using wedding invitation lures. The malware collects SMS data, call logs, messages from apps like WhatsApp, and email data from Gmail and Outlook. It exfiltrates this information to Telegram bots used as C2 servers. The threat actor exploits the stolen data to hijack personal messaging accounts, impersonate victims to request money transfers, and compromise other accounts. The campaign is likely operated by an Indonesian-speaking threat actor based on language artifacts found. The malware continues to be actively distributed as of January 2025, focusing on expanding its victim pool and financial fraud.