Triada Trojan Resurfaces: Preinstalled Malware Found on Thousands of Android Devices

Listen to this Post

A Silent Threat in New Android Phones

A newly discovered variant of the Triada Trojan has been found preinstalled on thousands of Android smartphones, putting users at risk as soon as they power on their devices. Security researchers at Kaspersky report that this malware campaign primarily affects Russian users, with over 2,600 confirmed infections between March 13 and 27, 2025.

The infected devices are counterfeit versions of popular smartphone models, sold through online stores at heavily discounted prices. Unsuspecting buyers, enticed by the attractive deals, unknowingly purchase devices already compromised with malware.

Triada, first discovered in 2016, was groundbreaking at the time for its stealthy approach—operating almost entirely in RAM to avoid detection. Over the years, it has evolved into a persistent threat, often embedded in the firmware of low-cost Android devices. Once installed, Triada cannot be removed without reflashing the entire system.

Kaspersky’s latest findings reveal that the newest Triada variant is more evasive than ever. It hides within the Android system framework, allowing it to spread across every running process on the infected smartphone.

What Does the New Triada Variant Do?

The latest version of Triada carries out several malicious activities, including:

– Stealing messenger and social media accounts

  • Impersonating users by sending and deleting messages on WhatsApp and Telegram

– Hijacking cryptocurrency transactions by modifying wallet addresses

– Monitoring browsing activity and altering links

– Spoofing phone numbers to redirect calls

– Intercepting, sending, and deleting SMS messages

  • Enabling premium SMS services to charge users for paid subscriptions

– Downloading and executing additional malicious applications

  • Blocking network connections to prevent detection and disable security defenses

So far, forensic analysis of transactions linked to the malware suggests that at least $270,000 worth of cryptocurrency has been stolen. However, the actual amount could be significantly higher, especially since Monero—a cryptocurrency designed for anonymity—was also involved.

How Are Devices Getting Infected?

Kaspersky suspects that the malware is being introduced through a supply chain attack, meaning the devices are compromised before they even reach consumers. According to security researcher Dmitry Kalinin, “It is likely that the supply chain is compromised at some point, so even the stores may not realize they’re selling phones with Triada.”

How to Protect Yourself

To avoid falling victim to preinstalled malware:

  • Buy from authorized sellers – Only purchase smartphones from trusted retailers and official distributors.

– Reflash the system – If

  • Use mobile security tools – Install a reliable antivirus solution to monitor for suspicious activity.

What Undercode Say:

The discovery of Triada preinstalled on new Android devices highlights a growing concern in the smartphone industry: supply chain attacks. Instead of targeting users directly, hackers compromise manufacturers, distributors, or third-party vendors to embed malware before the device even reaches the buyer.

This method is particularly dangerous because:

  • It’s nearly impossible for users to detect. Since the malware is hidden in the firmware, traditional antivirus apps may not identify it.
  • It makes security measures ineffective. Even a factory reset won’t remove the malware, as it is embedded deep within the system files.
  • It impacts a vast number of users at once. A single compromised shipment can lead to thousands of infected devices being distributed worldwide.

Why Is Triada So Effective?

1. RAM-based Execution: Operating primarily in the

  1. System-Level Access: By hiding in the Android system framework, it can manipulate almost every process on the phone.
  2. Modular Capabilities: Triada can download and execute additional malicious components, making it adaptable for different cybercriminal activities.
  3. Persistence: Unlike traditional malware, which can be removed by uninstalling an app, Triada remains even after a factory reset.

Financial and Privacy Risks

The malware’s ability to hijack cryptocurrency transactions is particularly concerning. It modifies wallet addresses in real-time, meaning users unknowingly send funds to hackers instead of their intended recipients. With at least $270,000 stolen so far, the financial damage is significant.

Beyond financial theft, Triada’s ability to intercept messages, impersonate users, and track browsing activity raises serious privacy concerns. Cybercriminals could use stolen social media accounts to spread further malware, commit fraud, or even engage in identity theft.

The Bigger Picture: Can We Trust Our Devices?

This case underscores a critical issue in the Android ecosystem—the lack of strict oversight in device manufacturing and distribution. Unlike Apple, which maintains tight control over its hardware and software, Android devices are produced by various manufacturers, many of whom rely on third-party suppliers. This decentralized approach makes Android more vulnerable to supply chain attacks.

Manufacturers and retailers must take responsibility by conducting stricter security audits on firmware before selling devices. Meanwhile, users must remain vigilant and prioritize security over price when purchasing a new smartphone.

Fact Checker Results

  • Confirmed infections: Kaspersky has verified at least 2,600 cases, primarily in Russia.
  • Financial damage: The malware has stolen at least $270,000 in cryptocurrency, but the real number could be much higher.
  • Removal difficulty: Triada is embedded in the firmware, making it impossible to remove without completely reflashing the system.

References:

Reported By: https://www.bleepingcomputer.com/news/security/counterfeit-android-devices-found-preloaded-with-triada-malware/
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image