Nigeria’s cyber defense agency has issued a high-security alert as a new Android malware spreads rapidly.
Disguised within WhatsApp and Telegram messages, the malware bypasses antivirus tools, intercepts OTPs, and infiltrates mobile banking apps.
Nigeria’s cyber defense agency has raised a high-level security alert following the spread of a dangerous malware known as Tria Stealer, which is actively targeting Android users.
The malware disguises itself through fake event invitations sent on WhatsApp and Telegram, hijacking accounts, intercepting OTPs, and stealing sensitive financial data, all while remaining undetected by most antivirus programs.
The Nigerian Computer Emergency Response Team (ngCERT) has issued a high-alert warning about a rising wave of cyberattacks involving a powerful Android malware called Tria Stealer. The malware, described as highly evasive and sophisticated, is being used by cybercriminals to gain unauthorised access to mobile devices and extract sensitive user data.
Tria Stealer spreads through fake wedding or event invitations shared across popular messaging platforms like WhatsApp and Telegram. Once the unsuspecting user clicks the link and downloads the infected Android Package Kit (APK), the malware installs itself under the guise of a legitimate system application, bypassing most antivirus and security tools.
How Tria Stealer works
Upon installation, Tria Stealer immediately requests access to sensitive phone functions, including SMS, call logs, notifications, and installed apps. It then begins collecting a wide range of personal and financial data. All the stolen data is silently transmitted to a command and control (C2) server operated via Telegram bots, a strategy that makes it difficult to trace or shut down the operation.
According to ngCERT, the malware can:
- Intercept one-time passwords (OTPs) to compromise online accounts.
- Hijack WhatsApp and Telegram accounts.
- Impersonate victims to initiate fraudulent money transfers.
- Gain unauthorized access to banking and financial apps.
- Steal login credentials for identity theft.
- Download and install additional malicious payloads without user knowledge.
Tria Stealer employs advanced encryption and obfuscation techniques to avoid detection. It is programmed to automatically reactivate after every device reboot, ensuring continued control over the infected system.
ngCERT warns that both individuals and organizations are at risk, especially those heavily reliant on mobile messaging platforms for communication. Due to the malware’s ability to impersonate trusted contacts, even users who are generally cautious about cybersecurity may fall victim.
This makes Tria Stealer particularly dangerous in workplace settings, where an infected device can serve as a gateway for larger network attacks or data leaks.
Safety measures for individuals
To protect against this threat, ngCERT urges Android users to:
- Download apps only from trusted sources like the Google Play Store.
- Avoid clicking on unsolicited messages, event invitations, or app downloads, even from known contacts.
- Enable two-factor authentication (2FA) on all banking and messaging platforms.
- Use and regularly update reputable mobile antivirus software.
- Review and limit app permissions, especially for apps installed outside official platforms.
Organizational guidelines
For businesses and institutions, the agency recommends
- Conducting cybersecurity awareness campaigns to educate staff about malware risks.
- Warning employees about clicking links in messaging apps, even from trusted peers.
- Deploying mobile threat detection software on executive and sensitive accounts.
- Implementing Mobile Device Management (MDM) solutions to enforce security policies.
- Monitoring network traffic for suspicious patterns or connections to known malware command servers.
The emergence of Tria Stealer highlights the growing threat posed by mobile-focused cyberattacks, especially those leveraging social engineering and messaging apps to bypass security layers. As cybercriminals become more sophisticated, both individuals and organizations must stay alert, adopt proactive security measures, and remain updated on evolving digital threats.
