Triangulation Mobile Malware

Triangulation is a highly sophisticated malware specifically designed to target iOS devices. It operates as a backdoor, creating a secret entry point for further threatening activities. By exploiting zero-click exploits, Triangulation can infiltrate devices without requiring any user interaction, making it even more harmful and challenging to detect.

Once inside a device, Triangulation gathers basic device and user data, allowing the attackers to obtain valuable information. Furthermore, it has the capability to download and install additional malicious components, including a backdoor implant known as TriangleDB. This implant serves as a persistent tool that enables the attackers to maintain access to the compromised device and carry out further nefarious actions. While the threat may lack traditional persistence-ensuring mechanisms, it compensates for this fact by employing advanced infiltration methods and removing any traces of its presence, making it difficult to detect and eliminate.

Triangulation has been a persistent threat since at least 2019 and continues to pose a significant risk as of June 2023. It is worth noting that the version analyzed by information security experts has demonstrated the capability to effectively target devices running iOS 15.7, indicating its adaptability to the newer iOS versions.

Triangulation Attacks Begins with Phishing Messages Carrying Compromised Attachments

Triangulation infections are believed to be triggered automatically by a message containing a unsafe attachment sent via iMessage. The attachment itself abuses an exploit that takes advantage of a kernel vulnerability within the iOS system. This vulnerability allows the execution of malicious code, which starts the first stage of the Triangulation attack. As the infection progresses, multiple components are downloaded from a Command-and-Control (C2) server. These components serve the purpose of escalating the malware's capabilities and attempting to gain root privileges on the compromised device.

In addition to its primary functions, Triangulation also introduces the TriangleDB implant into the compromised device. While Triangulation itself is capable of gathering basic system information, the campaign heavily relies on TriangleDB to access highly sensitive data. This includes retrieving information from various applications, user files, login credentials, and other critical data stored on the device.

The combination of the initial exploit, the subsequent download of components from the C&C server, and the deployment of TriangleDB spyware demonstrate the complex and multifaceted nature of the Triangulation attack operation.

The Threatening Capabilities Discovered in the Triangulation Mobile Malware

A significant portion of Triangulation's operation is dedicated to eliminating any traces of its presence and eradicating the evidence of the initial infection. This includes the deletion of the malicious messages that start the attack chain. By erasing these elements, Triangulation aims to complicate the detection and analysis process, making it challenging to uncover its activities. However, it is important to note that despite its efforts, Triangulation cannot completely remove all signs of compromise. Certain remnants of a Triangulation infection can still be recovered using digital forensics tools.

One notable aspect of Triangulation is its lack of persistence mechanisms. When the infected device is rebooted, the malware is effectively eliminated from the system. The only method employed by Triangulation to prevent untimely removal is by obstructing iOS updates. In some cases, when an attempt to update the iOS is made, an error message is displayed, stating that 'Software Update Failed. An error occurred downloading iOS.'

However, it is crucial to understand that while a simple restart can remove Triangulation, it does not prevent the possibility of any subsequent infection by the threat. Due to the exploitation of a zero-click exploit, the malware could easily sneak its way onto the victim's device again. Therefore, after an iPhone has been rebooted, it is necessary to perform a factory reset of the device. Following the reset, it is imperative to promptly update the iOS to ensure the device is protected against Triangulation and its associated threats.