iOS
Android
Threat Guidances
Vulnerability
June 22, 2023

Operation Triangulation

Overview

Triangulation malware is now known to be in use against Kaspersky employees for at least four years. It was delivered using invisible iMessage texts by attaching a malicious file that exploited OS-level vulnerabilities of iOS without needing any user action. Once these devices were infected, they were a fully-featured APT (advanced persistent threat) platform using a second payload, as described by Kaspersky researchers. The malware has self-destructing properties where the initial text message that started the infection chain gets deleted after the spyware is installed. The installation and data transmission is hidden. It is known to transmit microphone recordings, photos, geolocation, and other data related to the activities of the device owner to remote servers. The malware uses a technique called Canvas Fingerprinting to deduce the hardware-software combination of the device before execution. Kaspersky notes that iOS 15.7 is the latest OS version that was successfully compromised, and there are no indications of the exploits working in more recent iOS versions.

Lookout Analysis

Once the devices’ initial entry is gained, another payload is downloaded with additional malware from the attackers’ servers. Kaspersky reported that the campaign started in 2019 and still is ongoing. While the initial text is wiped out, the signs of infection are sprinkled across the device. These include system file modifications to prevent iOS update installation, deprecated library files, and abnormal data usage. Since these attacks have been found in devices up to iOS 15.7, the later versions of iOS might already have fixed the vulnerabilities used in these attacks. Using the Out of Date OS policy and ensuring that devices have auto-update enabled will help protect the devices.

Further, domains are associated with this attack’s malicious activity and additional ones for executing commands for collection. These can be blocked by ensuring Lookout’s PCP module is in place and actively protecting the devices. As per Kaspersky's notes, the execution toolset lacks a persistence mechanism though.

Authors

Lookout

Endpoint Security
Platform(s) Affected
iOS
Platform(s) Affected
Android
Entry Type
Threat Guidances
Threat Type
Vulnerability
Platform(s) Affected
iOS
Android
Threat Guidances
Vulnerability

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Lookout Discovers New Spyware by North Korean APT37

Lookout researchers have discovered a novel Android surveillance tool dubbed KoSpy. It is attributed to APT 37 aka ScarCruft.

Read Threat Article
A person with a prosthetic arm working on a computer

Identify and Prevent Threats with Lookout Threat Advisory

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.

Learn More Today
Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell