How to remove Triangulation malware from your iPhone
Written by Tomas Meskauskas on (updated)
What kind of malware is Triangulation?
Triangulation is the name of malware targeting iOS devices. It is part of a highly sophisticated campaign. Triangulation serves as a backdoor – a program that opens a "backdoor" for further infections. The malware can gather basic device/user data and download/install additional malicious components, including the TriangleDB spyware.
What Triangulation lacks in persistence-ensuring mechanisms, it compensates with infiltration methods requiring no user interaction (i.e., zero-click exploit) and its ability to remove traces of its presence.
Triangulation malware has been around since at least as early as 2019, and it is still active at the time of writing.
Triangulation malware overview
Triangulation infections begin with a message containing a malicious attachment sent via iMessage. Unlike in most malware infections – wherein the victim has to interact with the virulent content (e.g., open file, link, etc.) – the chain is jumpstarted automatically.
The attachment – an exploit – abuses a kernel vulnerability, which allows for the execution of malicious code. The chain then progresses to the download of multiple components from the C&C (Command and Control) server. The malware aims to escalate itself and gain root privileges.
Triangulation also infiltrates the TriangleDB spyware into the compromised device. While the former can obtain basic details from systems, the campaign relies on TriangleDB to acquire highly sensitive information (e.g., app data, user files, log-in credentials, etc.).
A significant bulk of Triangulation's operations are geared towards eradicating the evidence left behind by the infection. It even deletes the infectious message that jumpstarts the chain. These features complicate Triangulation's detection and analysis, although the malware cannot remove all traces of compromise. Digital forensics tools are able to recover some remnants of a Triangulation infection.
As mentioned in the introduction, this backdoor does not have the ability to ensure its persistence. Hence, when the device is rebooted – the malware is effectively eradicated. The sole method it employs to avoid untimely elimination is to prevent the iOS from updating. In some instances when an attempt to update the system is made, it results in an error message stating – "Software Update Failed. An error ocurred downloading iOS".
However, while a restart removes Triangulation – it does not prevent reinstallation. The infection can easily reoccur since the malware uses a zero-click exploit for infiltration. Therefore, after the iPhone is rebooted, it must be reset to factory settings. The reset must be followed up with an immediate iOS update.
It is noteworthy that malware developers often improve upon their creations. Hence, future Triangulation campaigns could use other techniques or have additional/different functionalities.
To summarize, the presence of software like Triangulation on devices can result in multiple system infections, severe privacy issues, financial losses, and identity theft.
Name | Triangulation virus |
Threat Type | Trojan, backdoor malware |
Detection Names | Avast (MacOS:TriangleDb-A [Trj]), Combo Cleaner (Trojan.IOS.TriangleDb.A), ESET-NOD32 (IOS/TriangleDb.A), Kaspersky (Trojan.IphoneOS.TriangleDB.a), Microsoft (Trojan:iPhoneOS/TriangleDB!MTB), Full List Of Detections (VirusTotal) |
Symptoms | Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
Distribution methods | Exploit sent via iMessage |
Damage | Stolen passwords and banking information, identity theft, the victim's computer added to a botnet. |
Malware in general
Malware can have a wide variety of abilities, which can be in varied combinations (i.e., the functionalities are not mutually exclusive).
Malicious software can operate as a "trojan" – which is a broad term encompassing various programs that may serve as backdoors, data stealers, spyware (record desktops, audio/video via microphones and cameras, etc.), keyloggers (record keystrokes), clippers (replace clipboard content), etc.
Another popular class is ransomware – these programs encrypt victims' files and/or lock the device's screen for the purpose of making ransom demands. Cryptominer is a type of malware that abuses system resources to generate cryptocurrency.
However, regardless of how malicious software operates – its presence on a system endangers device integrity and user safety. Therefore, all threats must be eliminated immediately upon detection.
How did Triangulation infiltrate my device?
As previously mentioned, Triangulation uses a zero-click exploit to infiltrate iPhones. To elaborate, a message containing a malicious attachment is spent through iMessage. However, the exploit (attachment) auto-triggers without any user interaction.
The selection process for contact information connected to iMessage is currently unknown. It is likewise unclear whether some part of the process is randomized, relies on data obtained through phishing/ social engineering, or is entirely targeted.
It is unlikely that Triangulation's infection chain will be altered before the observed exploit becomes unavailable. Regardless, it is still worth mentioning the most widely used malware proliferation methods.
Malicious software is commonly spread via virulent attachments/links in spam mail (e.g., email, DM/PM, SMS, etc.), drive-by (stealthy/deceptive) downloads, untrustworthy download sources (e.g., freeware and free file-hosting websites, third-party app stores, Peer-to-Peer sharing networks, etc.), pirated software, illegal program activation ("cracking") tools, fake updates, online scams, and malvertising.
How to avoid installation of malware?
We strongly recommend researching software by reading terms and user/expert reviews, checking out necessary permissions, verifying developer legitimacy, etc.
Additionally, all downloads must be performed from official and trustworthy channels. It is just as important to activate and update programs by using legitimate functions/tools, as those obtained from third-parties can contain malware.
Another recommendation is to treat incoming emails and other messages with care. Attachments or links present in suspect/irrelevant mail must not be opened, as they can be infectious. We also advise being vigilant while browsing since fraudulent and malicious online content usually appears ordinary and harmless.
It is paramount to have a dependable anti-virus installed and kept updated. Security software must be used to run regular system scans and to remove detected threats.
Important!
While restarting the device will remove Triangulation malware, it will not prevent reinstallation.
To remove the Triangulation malware you must:
- Reboot the device
- Restore the device to factory settings
- Update the iOS to the latest version
Frequently Asked Questions (FAQ)
My iPhone is infected with Triangulation malware, should I format my storage device to get rid of it?
Yes, Triangulation's removal requires a full factory reset, followed by an immediate update to the iOS.
What are the biggest issues that Triangulation malware can cause?
The threats associated with an infection depend on the malicious program's capabilities and the cyber criminals' goals. Triangulation is a backdoor; it essentially serves as a gateway for additional malicious programs and components (e.g., TriangleDB spyware). Generally, infections of this kind can result in severe privacy issues, financial losses, and identity theft.
What is the purpose of Triangulation malware?
In most cases, malware is utilized to generate revenue. However, cyber criminals can also use this software to amuse themselves, realize personal grudges, disrupt processes (e.g., websites, services, companies, etc.), and even launch politically/geopolitically motivated attacks.
How did Triangulation malware infiltrate my iPhone?
Triangulation infects devices through a malicious attachment in a message sent via iMessage. The infection occurs automatically upon the message's arrival and requires no user interaction. The selection process for targeted devices/victims is unknown.
▼ Show Discussion