A new cybersecurity alert has been issued by the Nigeria Computer Emergency Response Team (ngCERT), warning of a rapidly spreading malware campaign known as Tria Stealer, which is specifically targeting Android devices. The advanced malware is being used to compromise user accounts, harvest sensitive information, and bypass device security protocols with alarming precision.
Tria Stealer, which ngCERT describes as “highly evasive,” is capable of hijacking WhatsApp and Telegram accounts, intercepting One-Time Passwords (OTPs), and exfiltrating personal and financial data. It is being distributed through deceptive digital invitations—such as wedding or event announcements—shared via messaging platforms like WhatsApp and Telegram.
Infection Tactics and Capabilities
Victims are tricked into downloading a malicious Android Package Kit (APK) file, which, once installed, masquerades as a legitimate system application. This tactic allows the malware to evade detection and gain persistent access to the device.
Once embedded, Tria Stealer immediately seeks permission to access critical features such as SMS messages, call logs, and app notifications. It then begins harvesting and transmitting user data to a Command and Control (C2) server controlled by Telegram bots.
According to ngCERT, the malware has multiple capabilities:
- Interception of OTPs used for two-factor authentication, enabling account takeovers.
- Impersonation of victims to request fraudulent transfers from contacts.
- Infiltration of banking and financial apps, allowing unauthorized access to funds.
- Theft of login credentials for identity fraud.
- Deployment of additional malware payloads, further compromising the device.
Tria Stealer also employs advanced encryption and obfuscation techniques to avoid detection by antivirus software. Notably, the malware reactivates automatically each time the device is restarted, ensuring persistent access and control.
Scope of the Threat
ngCERT emphasized that the threat impacts both individual users and organizations, particularly those who rely heavily on mobile messaging platforms for communication. The malware’s ability to spoof trusted contacts increases the risk for even vigilant users.
Safety Recommendations for Individuals
To reduce exposure to the Tria Stealer malware, ngCERT recommends the following precautions:
- Only install applications from trusted sources such as the Google Play Store.
- Avoid clicking on unsolicited event invitations or installation prompts—even if they appear to come from known contacts.
- Enable two-factor authentication (2FA) on all messaging, email, and banking applications.
- Use reliable and regularly updated antivirus software on mobile devices.
- Restrict app permissions, especially for apps that are not installed via official app stores.
Security Guidance for Organizations
For corporate environments, ngCERT advises taking proactive measures, including:
- Running employee cybersecurity awareness programs, particularly around the risks of APK-based malware.
- Educating staff on the dangers of clicking links in messaging apps.
- Deploying mobile threat detection software on devices used by high-risk personnel.
- Implementing Mobile Device Management (MDM) systems to enforce security protocols.
- Monitoring network traffic for signs of communication with known malware command centers.
As the digital threat landscape evolves, ngCERT urges all users and organizations to remain vigilant and adopt comprehensive mobile security practices to mitigate the risks posed by this highly sophisticated malware campaign.
