Kaspersky has uncovered a new, sophisticated version of the Triada Trojan preinstalled on counterfeit Android smartphones allegedly sold through unauthorized retailers. Embedded in the system firmware, the malware operates undetected and grants attackers’ full control over infected devices. More than 2,600 users worldwide have been affected.
Unlike typical mobile malware delivered via malicious apps, this Triada variant is integrated into the system framework, infiltrating every running process.
It enables a wide range of malicious activity, including:
- Stealing messaging and social media accounts, including Telegram, TikTok, Facebook, and Instagram.
- Sending and deleting messages in apps like WhatsApp and Telegram.
- Substituting cryptocurrency wallet addresses.
- Redirecting phone calls by spoofing caller IDs.
- Monitoring browser activity and injecting links.
- Intercepting, sending, and deleting SMS messages.
- Enabling premium SMS charges.
- Downloading and executing additional payloads.
- Blocking network connections to potentially bypass anti-fraud systems.
“The Triada Trojan has evolved into one of the most advanced threats in the Android ecosystem,” said Dmitry Kalinin, Malware Analyst at Kaspersky Threat Research. “This new version infiltrates the device at the firmware level—before it even reaches the user—pointing to a supply chain compromise. According to the analysis of the open sources, attackers have already funneled at least $270,000 in stolen cryptocurrency to their wallets, though the actual total may be higher due to the use of untraceable coins like Monero.”
Kaspersky solutions detect this variant as Backdoor.AndroidOS.Triada.z.
First discovered in 2016, Triada has continually evolved, leveraging system-level privileges to execute fraud, hijack SMS authentication, and evade detection. This latest campaign marks a concerning escalation, as attackers potentially exploit supply chain flaws to deploy firmware-level malware on counterfeit devices.
