Counterfeit Android devices found preloaded With Triada malware
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
Kaspersky researchers report that this campaign mainly impacts Russian users, with at least 2,600 confirmed infections from March 13 to 27, 2025, based on visibility from its mobile protection tools.
The security researchers noted that Triada was found on counterfeit versions of popular smartphone models sold at online stores at discounted prices to attract the interest of unsuspecting buyers.
Triada is a modular Android malware first discovered in 2016, considered a pioneer at the time for operating almost entirely in the device's RAM to evade detection.
Since then, there have been multiple reports of Triada hiding in the firmware of low-cost Android phones sold through dubious unofficial retail channels, making it a stealthy and also persistent threat that can't be removed without reflashing the ROM.
Kaspersky's latest report indicates that the newest version of Triada remains highly evasive, hiding in Android's system framework and copying itself to every process on the smartphone.
The latest Triada malware variant performs the following actions on infected devices:
- Steals accounts from messengers and social media
- Sends and deletes messages via WhatsApp and Telegram to impersonate users
- Hijacks cryptocurrency by replacing wallet addresses in apps
- Tracks browsing activity and swaps links
- Spoofs phone numbers during calls to reroute conversations
- Intercepts, sends, and deletes SMS messages
- Enables premium SMS to charge paid services
- Downloads and runs additional apps remotely
- Blocks network connections to evade detection or disrupt defenses
Transaction analysis shows that the new Triada trojan has stolen at least $270,000 worth of cryptocurrency. However, the total amount stolen by the operation is unknown as it also involves the hard-to-trace Monero cryptocurrency.
Kaspersky isn't sure how the devices are infected with Triada but hypothesizes it's the result of a supply chain attack.
"Its [Triada's] new version is embedded into smartphone firmware before the devices even reach users," commented Kaspersky's Dmitry Kalinin.
"It is likely that the supply chain is compromised at some point, so even the stores may not realize they're selling phones with Triada."
To mitigate this risk, only buy smartphones from authorized distributors.
When in doubt, reflash your device using a clean system image from Google, or a trustworthy third-party ROM like LineageOS or GrapheneOS.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalSec-Fetch-Site Header Has an Invalid Value
InformationalRetrieved from Cache
HighPII Disclosure
InformationalInformation Disclosure - JWT in Browser sessionStorage
MediumWeb Cache Deception
Free online web security scanner
