Security researchers from Kaspersky have discovered a sophisticated variant of the Triada Trojan pre-installed on thousands of counterfeit Android smartphones. The malware, embedded in the system firmware, has infected over 2,600 devices worldwide, with the majority of cases detected in Russia. The discovery follows a broader pattern of firmware-based malware attacks, including the recent BADBOX operation that affected 192,000 Android devices.
The Triada Trojan is deeply integrated into the system framework, infecting every running process on the device. The comprehensive integration enables the malware to perform numerous malicious activities while remaining undetected by typical security measures. The attack approach resembles recent trends in sophisticated Android malware, such as the Crocodilus banking malware that similarly targets financial applications and cryptocurrency wallets.
The malware’s capabilities include stealing login credentials for social media and messenger accounts, manipulating messages in applications like WhatsApp and Telegram, redirecting cryptocurrency transactions by altering wallet addresses, and falsifying caller IDs. Additionally, it can monitor browser activity, insert manipulated links, intercept SMS messages, activate premium SMS services, and install and execute additional malware.
“The new version of the malware is distributed in the firmware of infected Android devices. It is located in the system framework. This means that a copy of Triada gets into every process on the smartphone,” said Dmitry Kalinin, a malware analyst at Kaspersky.
The attackers have successfully monetized their operations, with Kalinin noting that “they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets.” The actual amount could be higher due to the use of untraceable cryptocurrencies like Monero. The pattern matches increasing cryptocurrency-related cyber threats, as documented in recent cases of sophisticated phishing scams targeting crypto holders.
The presence of the malware in device firmware indicates a compromised supply chain. “Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada,” Kalinin explained. The situation highlights the growing importance of initiatives like Egypt’s recent efforts to combat illegal phone imports through enhanced verification systems.
The infections were documented between March 13 and 27, 2025, primarily affecting users who purchased counterfeit versions of popular smartphone models at discounted prices. Complete removal of the Triada Trojan requires wiping the smartphone and reinstalling the operating system.
Security experts recommend purchasing devices exclusively from authorized distributors and installing security solutions immediately after purchase to prevent infection. The advice comes amid a surge in Android-based threats, with recent reports indicating over 22,800 malicious applications detected in recent months.
Sources: IT Daily, Security Affairs, Cointelegraph, Bleeping Computer
Follow Us