Triada Malware Preloaded on Counterfeit Android Devices

Counterfeit Android phones are infecting users with Triada malware pre-installed in the firmware, stealing data and cryptocurrency. This supply chain attack highlights the risks of purchasing from unauthorized sellers.
Triada Malware Preloaded on Counterfeit Android Devices
Table of Contents
    Add a header to begin generating the table of contents

    Thousands of counterfeit Android devices are being sold with Triada malware preinstalled, posing a significant security risk. This new campaign, primarily targeting Russian users, saw at least 2,600 confirmed infections between March 13th and 27th, 2025, according to Kaspersky researchers.

    These devices, disguised as popular smartphone models, are offered at discounted prices on online marketplaces, attracting unsuspecting buyers. The Triada malware, first discovered in 2016, is known for its ability to operate primarily in the device’s RAM, evading detection.

    Past instances have shown Triada embedded in the firmware of low-cost Android phones sold through unofficial channels, making removal difficult without a ROM reflash.

    This latest Triada variant is even more stealthy, hiding within the Android system framework and replicating itself across all smartphone processes. Its malicious capabilities include:

    • Stealing accounts from messengers and social media platforms.
    • Sending and deleting messages via WhatsApp and Telegram to impersonate users.
    • Hijacking cryptocurrency by altering wallet addresses in applications.
    • Tracking browsing activity and manipulating links.
    • Spoofing phone numbers during calls to redirect conversations.
    • Intercepting, sending, and deleting SMS messages.
    • Enabling premium SMS services to incur charges.
    • Remotely downloading and executing additional apps.
    • Blocking network connections to hinder detection or defenses.

    The malware’s financial impact is substantial. Transaction analysis reveals at least $270,000 in cryptocurrency theft, though the actual amount is likely higher due to the use of untraceable Monero.

    Kaspersky suspects a supply chain attack is responsible for the malware’s presence on these devices.

    Dmitry Kalinin of Kaspersky commented, “Its [Triada’s] new version is embedded into smartphone firmware before the devices even reach users. It is likely that the supply chain is compromised at some point, so even the stores may not realize they’re selling phones with Triada.”

    To protect against this threat, Kaspersky recommends purchasing smartphones only from authorized distributors. If there’s any doubt, reflashing the device with a clean system image from Google, LineageOS, or GrapheneOS is advised.

    Related Posts