Full Report
Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps. The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with
Analysis Summary
# Tool/Technique: Tria Stealer
## Overview
Tria Stealer is a piece of malware specifically designed to target Android users, primarily observed targeting victims in Malaysia and Brunei since at least March 2024. Its primary function is to harvest sensitive data from various messaging and email applications to facilitate account hijacking and financial scams.
## Technical Details
- Type: Malware family (Android Stealer)
- Platform: Android
- Capabilities: Data exfiltration, SMS interception, call log tracking, WhatsApp/Telegram message harvesting, email credential/data harvesting.
- First Seen: Ongoing since at least March 2024
## MITRE ATT&CK Mapping
This malware aligns broadly with data theft and command-and-control communication techniques:
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0009 - Collection**
- T1119 - Automated Collection
- **TA0011 - Command and Control**
- T1071.005 - Application Layer Protocol: Other Application Protocols (Use of Telegram API)
## Functionality
### Core Capabilities
- **Information Gathering:** Collects SMS messages, tracks call logs.
- **Credential/Data Theft:** Harvests messages from major communication apps including Gmail, Google Messages, Microsoft Outlook, Samsung Messages, WhatsApp, WhatsApp Business, and Yahoo! Mail.
- **Distribution:** Disseminated through personal and group chats via Telegram and WhatsApp using malicious APK files.
### Advanced Features
- **Account Hijacking & Scamming:** Stolen data is used to hijack messaging accounts (WhatsApp, Telegram) to impersonate the victim, request money transfers from contacts to actor-controlled bank accounts, and further distribute the malware.
- **OTP Theft Potential:** Ability to extract SMS messages suggests capabilities to steal One-Time Passwords (OTPs), potentially leading to unauthorized access to various online services, including banking accounts.
- **C2 Communication:** Exfiltrates collected data by sending it to various Telegram bots using the Telegram Application Programming Interface (API).
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: Malicious APK files distributed via chats.
- Registry Keys: [Not applicable/Not provided in text for Android]
- Network Indicators: Communication utilizes Telegram bots for C2 via the Telegram API.
- Behavioral Indicators: Requests excessive or sensitive permissions on the Android device for data harvesting; observed distribution via Telegram and WhatsApp payloads.
## Associated Threat Actors
- Indonesian-speaking threat actor (suggested based on Indonesian language artifacts and Telegram bot naming conventions).
## Detection Methods
- **Signature-based detection:** Developing signatures against known Tria Stealer APKs.
- **Behavioral detection:** Monitoring for APKs requesting excessive permissions, unusual data access patterns from messaging/email apps, and communication outbound to Telegram API endpoints for data exfiltration.
- **YARA rules:** [Not provided in text]
## Mitigation Strategies
- **Prevention Measures:** Avoid installing applications from unofficial or untrusted sources (sideloading caution).
- **Hardening Recommendations:** Maintain up-to-date Android OS versions (leveraging Android 13+ protections noted by Google analysis). Utilize Google Play Protect actively. For app developers, implement Play Integrity API checks to detect modified or compromised environments.
- **User Education:** Caution users about unsolicited file attachments via chat applications, especially those disguised as legitimate interactions.
## Related Tools/Techniques
- UdangaSteal: A related activity cluster noted to target Indonesian and Indian victims with similar lures (wedding invitations, package delivery) in 2023/2024, though direct linkage to the same threat actor is unconfirmed.