How to remove TriangleDB spyware-type malware from your iPhone
Written by Tomas Meskauskas on (updated)
What kind of malware is TriangleDB?
TriangleDB is a spyware-type program. It is designed to extract/record and exfiltrate vulnerable data from infected iPhone devices.
TriangleDB has been observed being injected into devices by the Triangulation backdoor. This malware campaign is sophisticated; the infection is triggered without user interaction (i.e., zero-click exploit), and traces of compromise are deleted. Triangulation and, by extension, TriangleDB have been around since as early as 2019 and are still active as of 2023.
TriangleDB malware overview
TriangleDB is infiltrated into systems by Triangulation malware. This backdoor infects devices through a malicious exploit attached to a message sent via iMessage. It is a zero-click exploit and as such – requires no actions from the user to jumpstart the infection process. Triangulation introduces several malicious components into compromised devices, including TriangleDB.
As mentioned in the introduction, the backdoor malware takes great care to eliminate traces of the infection. Due to this, the analysis of the infection chain and its components is significantly complicated.
Following infiltration, TriangleDB begins its operations by gathering relevant data, e.g., IMEI, MEID, serial number, iOS version, etc. The spyware can receive commands from its C&C (Command and Control) server. Some of them include (but are not limited to): managing files (i.e., modify, create, delete, exfiltrate), obtaining installed application lists, terminating running processes, monitoring geolocation data, downloading/installing and executing additional modules.
To elaborate on a few of these commands, TriangleDB can inspect a file before determining whether its exfiltration is worthwhile. Additionally, iPhones have the ability to record a variety of information associated with the user's location and movements. TriangleDB takes full advantage of this – thus obtaining the victim's coordinates, altitude, bearing (i.e., direction the device is physically moving), movement speed, etc.
Furthermore, TriangleDB targets the device's Keychain – the password management system used by iOS. The spyware requests various permissions, i.e., to access the phone's address books, camera, and microphone. It also asks to be allowed to interact with devices connected via Bluetooth. If TriangleDB grains these permissions, it can then download additional modules for the necessary recording/exfiltration functionalities.
Neither Triangulation nor TriangleDB employ persistence-ensuring techniques. Hence, merely rebooting the phone is enough to remove them. If the device is not restarted, TriangleDB self-deletes after thirty days unless the attackers extend the time period.
However, due to the nature of Triangulation's infections, the malware can reinstall itself onto the iPhone with ease. Therefore, following a system restart – the device must be reset to factory settings, and the iOS immediately updated.
It is pertinent to mention that malware developers often improve upon their creations; since the TriangleDB spyware is still in active use at the time of writing, potential future iterations of this program could have additional/different abilities.
In summary, malware like TriangleDB can cause severe privacy issues, significant financial losses, and even lead to identity theft.
Name | TriangleDB malware |
Threat Type | Trojan, spyware |
Detection Names | Avast (MacOS:TriangleDb-A [Trj]), Combo Cleaner (Trojan.IOS.TriangleDb.A), ESET-NOD32 (IOS/TriangleDb.A), Kaspersky (Trojan.IphoneOS.TriangleDB.a), Microsoft (Trojan:iPhoneOS/TriangleDB!MTB), Full List Of Detections (VirusTotal) |
Symptoms | Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
Distribution methods | Exploit sent via iMessage |
Damage | Stolen passwords and banking information, identity theft, the victim's computer added to a botnet. |
Information-stealing malware in general
Data-stealing malware can target certain details or a wide range of information. To expand upon this, a malicious program within this classification could be designed to exfiltrate specific data, information associated with a particular service/platform/website, or a variety of data from all manner of sources.
Furthermore, information-exfiltrating malware can have other capabilities, such as recording content (e.g., keystrokes, desktops, audio/video via microphones/cameras, etc.), replacing clipboard content, and so on.
It must be stressed that regardless of how malware operates – its presence on a system threatens device/user safety. Therefore, all threats must be removed immediately upon detection.
How did TriangleDB infiltrate my computer?
TriangleDB is installed onto devices by Triangulation backdoor malware. The latter infiltrates systems via a malicious attachment in a message sent to the victim's iMessage app. The infection is initiated without any action on the victim's part, as the attachment (exploit) triggers the chain automatically upon arrival.
The victim/device selection process is currently unknown. Some of it could be random, use contact information acquired through phishing/ social engineering schemes, or be entirely targeted.
Until the exploit becomes obsolete, TriangleDB's infection chain is unlikely to change. However, it is worth mentioning the techniques most widely used in malware distribution.
Malicious software (typically under the guise of legitimate applications or media files) is proliferated via virulent attachments/links in spam mail (e.g., emails, PMs/DMs, SMSes, etc.), online scams, malvertising, drive-by (stealthy/deceptive) downloads, dubious download channels (e.g., freeware and free file-hosting sites, third-party app stores, P2P sharing networks, etc.), illegal software activation ("cracking") tools, and fake updates.
How to avoid installation of malware?
It is crucial to be vigilant while browsing since fraudulent and malicious online content usually appears ordinary and innocuous. The vigilance must be extended to incoming emails and other messages. We advise against opening attachments or links present in suspicious/irrelevant mail, as they can be infectious.
We recommend researching software by reading terms and expert/user reviews, inspecting necessary permissions, and verifying developer legitimacy. Additionally, all downloads must be performed from official and verified sources. Another recommendation is to activate and update programs using legitimate functions/tools, as those obtained from third-parties may contain malware.
We must emphasize the importance of having a dependable anti-virus installed and kept updated. Security software must be used to run regular system scans and to remove detected threats/issues.
Important!
While restarting the device will remove TriangleDB spyware, it will not prevent reinstallation.
To remove the TriangleDB malware you must:
- Reboot the device
- Restore the device to factory settings
- Update the iOS to the latest version
Frequently Asked Questions (FAQ)
My iPhone is infected with TriangleDB malware, should I format my storage device to get rid of it?
Yes, TriangleDB removal necessitates a full factory reset. It must then be followed up with an immediate update to the iOS.
What are the biggest issues that TriangleDB malware can cause?
The threats posed by an infection depend on the malware's capabilities and the attackers' modus operandi. TriangleDB is a spyware – a type of malware designed to record and exfiltrate sensitive information. Typically, infections of this kind can lead to severe privacy issues, financial losses, and identity theft.
What is the purpose of TriangleDB malware?
Most malware attacks are motivated by financial gain. However, cyber criminals can also use malicious programs to amuse themselves, carry out personal vendettas, disrupt processes (e.g., sites, services, companies, etc.), and even launch politically/geopolitically motivated attacks.
How did TriangleDB malware infiltrate my iPhone?
TriangleDB is part of an infection chain initiated by the Triangulation backdoor. This malware infiltrates systems through a malicious attachment (exploit) within a message sent via iMessage. It is a zero-click exploit and as such requires no user interaction to trigger infection processes. It is currently unknown how the victims/devices are selected.
▼ Show Discussion