FacebookTwitterLinkedIn

How to remove Triangulation malware from your iPhone

Also Known As: Triangulation virus
Type: Mac Virus
Damage level: Severe

Tomas Meskauskas Written by on (updated)

What kind of malware is Triangulation?

Triangulation is the name of malware targeting iOS devices. It is part of a highly sophisticated campaign. Triangulation serves as a backdoor – a program that opens a "backdoor" for further infections. The malware can gather basic device/user data and download/install additional malicious components, including the TriangleDB spyware.

What Triangulation lacks in persistence-ensuring mechanisms, it compensates with infiltration methods requiring no user interaction (i.e., zero-click exploit) and its ability to remove traces of its presence.

Triangulation malware has been around since at least as early as 2019, and it is still active at the time of writing.

Triangulation malware detections on VirusTotal

Triangulation malware overview

Triangulation infections begin with a message containing a malicious attachment sent via iMessage. Unlike in most malware infections – wherein the victim has to interact with the virulent content (e.g., open file, link, etc.) – the chain is jumpstarted automatically.

The attachment – an exploit – abuses a kernel vulnerability, which allows for the execution of malicious code. The chain then progresses to the download of multiple components from the C&C (Command and Control) server. The malware aims to escalate itself and gain root privileges.

Triangulation also infiltrates the TriangleDB spyware into the compromised device. While the former can obtain basic details from systems, the campaign relies on TriangleDB to acquire highly sensitive information (e.g., app data, user files, log-in credentials, etc.).

A significant bulk of Triangulation's operations are geared towards eradicating the evidence left behind by the infection. It even deletes the infectious message that jumpstarts the chain. These features complicate Triangulation's detection and analysis, although the malware cannot remove all traces of compromise. Digital forensics tools are able to recover some remnants of a Triangulation infection.

As mentioned in the introduction, this backdoor does not have the ability to ensure its persistence. Hence, when the device is rebooted – the malware is effectively eradicated. The sole method it employs to avoid untimely elimination is to prevent the iOS from updating. In some instances when an attempt to update the system is made, it results in an error message stating – "Software Update Failed. An error ocurred downloading iOS".

However, while a restart removes Triangulation – it does not prevent reinstallation. The infection can easily reoccur since the malware uses a zero-click exploit for infiltration. Therefore, after the iPhone is rebooted, it must be reset to factory settings. The reset must be followed up with an immediate iOS update.

It is noteworthy that malware developers often improve upon their creations. Hence, future Triangulation campaigns could use other techniques or have additional/different functionalities.

To summarize, the presence of software like Triangulation on devices can result in multiple system infections, severe privacy issues, financial losses, and identity theft.

Threat Summary:
Name Triangulation virus
Threat Type Trojan, backdoor malware
Detection Names Avast (MacOS:TriangleDb-A [Trj]), Combo Cleaner (Trojan.IOS.TriangleDb.A), ESET-NOD32 (IOS/TriangleDb.A), Kaspersky (Trojan.IphoneOS.TriangleDB.a), Microsoft (Trojan:iPhoneOS/TriangleDB!MTB), Full List Of Detections (VirusTotal)
Symptoms Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Exploit sent via iMessage
Damage Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.

Malware in general

Malware can have a wide variety of abilities, which can be in varied combinations (i.e., the functionalities are not mutually exclusive).

Malicious software can operate as a "trojan" – which is a broad term encompassing various programs that may serve as backdoors, data stealers, spyware (record desktops, audio/video via microphones and cameras, etc.), keyloggers (record keystrokes), clippers (replace clipboard content), etc.

Another popular class is ransomware – these programs encrypt victims' files and/or lock the device's screen for the purpose of making ransom demands. Cryptominer is a type of malware that abuses system resources to generate cryptocurrency.

However, regardless of how malicious software operates – its presence on a system endangers device integrity and user safety. Therefore, all threats must be eliminated immediately upon detection.

How did Triangulation infiltrate my device?

As previously mentioned, Triangulation uses a zero-click exploit to infiltrate iPhones. To elaborate, a message containing a malicious attachment is spent through iMessage. However, the exploit (attachment) auto-triggers without any user interaction.

The selection process for contact information connected to iMessage is currently unknown. It is likewise unclear whether some part of the process is randomized, relies on data obtained through phishing/ social engineering, or is entirely targeted.

It is unlikely that Triangulation's infection chain will be altered before the observed exploit becomes unavailable. Regardless, it is still worth mentioning the most widely used malware proliferation methods.

Malicious software is commonly spread via virulent attachments/links in spam mail (e.g., email, DM/PM, SMS, etc.), drive-by (stealthy/deceptive) downloads, untrustworthy download sources (e.g., freeware and free file-hosting websites, third-party app stores, Peer-to-Peer sharing networks, etc.), pirated software, illegal program activation ("cracking") tools, fake updates, online scams, and malvertising.

How to avoid installation of malware?

We strongly recommend researching software by reading terms and user/expert reviews, checking out necessary permissions, verifying developer legitimacy, etc.

Additionally, all downloads must be performed from official and trustworthy channels. It is just as important to activate and update programs by using legitimate functions/tools, as those obtained from third-parties can contain malware.

Another recommendation is to treat incoming emails and other messages with care. Attachments or links present in suspect/irrelevant mail must not be opened, as they can be infectious. We also advise being vigilant while browsing since fraudulent and malicious online content usually appears ordinary and harmless.

It is paramount to have a dependable anti-virus installed and kept updated. Security software must be used to run regular system scans and to remove detected threats.

Important!
While restarting the device will remove Triangulation malware, it will not prevent reinstallation.

To remove the Triangulation malware you must:

Frequently Asked Questions (FAQ)

My iPhone is infected with Triangulation malware, should I format my storage device to get rid of it?

Yes, Triangulation's removal requires a full factory reset, followed by an immediate update to the iOS.

What are the biggest issues that Triangulation malware can cause?

The threats associated with an infection depend on the malicious program's capabilities and the cyber criminals' goals. Triangulation is a backdoor; it essentially serves as a gateway for additional malicious programs and components (e.g., TriangleDB spyware). Generally, infections of this kind can result in severe privacy issues, financial losses, and identity theft.

What is the purpose of Triangulation malware?

In most cases, malware is utilized to generate revenue. However, cyber criminals can also use this software to amuse themselves, realize personal grudges, disrupt processes (e.g., websites, services, companies, etc.), and even launch politically/geopolitically motivated attacks.

How did Triangulation malware infiltrate my iPhone?

Triangulation infects devices through a malicious attachment in a message sent via iMessage. The infection occurs automatically upon the message's arrival and requires no user interaction. The selection process for targeted devices/victims is unknown.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Top Removal Guides
QR Code
Triangulation virus QR code
Scan this QR code to have an easy access removal guide of Triangulation virus on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.