Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada.
"More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia," Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.
Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it's equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities.
While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vector.
Over the years, altered versions of Triada have also found their way into off-brand Android tablets, TV boxes, and digital projectors as part of a widespread fraud scheme called BADBOX that has leveraged hardware supply chain compromises and third-party marketplaces for initial access.
This behavior was first observed in 2017, when the malware evolved to a pre-installed Android framework backdoor, allowing the threat actors to remotely control the devices, inject more malware, and exploit them for various illicit activities.
"Triada infects device system images through a third-party during the production process," Google noted in June 2019. "Sometimes OEMs want to include features that aren't part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development."
The tech giant, at that time, also pointed fingers at a vendor that went by the name Yehuo or Blazefire as the party likely responsible for infecting the returned system image with Triada.
The latest samples of the malware analyzed by Kaspersky show that they are located in the system framework, thus allowing it to be copied to every process on the smartphone and giving the attackers unfettered access and control to perform various activities -
- Steal user accounts associated with instant messengers and social networks, such as Telegram and TikTok
- Stealthily send WhatsApp and Telegram messages to other contacts on behalf of the victim and delete them in order to remove traces
- Act as a clipper by hijacking clipboard content with cryptocurrency wallet addresses to replace them with a wallet under their control
- Monitor web browser activity and replace links
- Replace phone numbers during calls
- Intercept SMS messages and subscribe victims to premium SMS
- Download other programs
- Block network connections to interfere with the normal functioning of anti-fraud systems
It's worth noting that Triada is not the only malware that has been preloaded on Android devices during the manufacturing stages. In May 2018, Avast revealed that several hundred Android models, including those from like ZTE and Archos, were shipped pre-installed with another adware called Cosiloon.
"The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android," Kaspersky researcher Dmitry Kalinin said. "Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada."
"At the same time, the authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets [between June 13, 2024, to March 27, 2025]."
The emergence of an updated version of Triada follows the discovery of two different Android banking trojans called Crocodilus and TsarBot, the latter of which targets over 750 banking, financial, and cryptocurrency applications.
Both the malware families are distributed via dropper apps that impersonate legitimate Google services. They also abuse Android's accessibility services to remotely control the infected devices, and conduct overlay attacks to siphon banking credentials and credit card details.
The disclosure also comes as ANY.RUN detailed a new Android malware strain dubbed Salvador Stealer that masquerades as a banking application catering to Indian users (package name: "com.indusvalley.appinstall") and is capable of harvesting sensitive user information.
Google Responds
Following the publication of the story, a Google spokesperson told The Hacker News that the Android devices infected by Triada are not Play Protect certified, and that users are protected against Crocodilus and TsarBot by Google Play Protect.
"The infected devices are Android Open Source Project devices, not Android OS or Play Protect certified Android devices," the spokesperson said. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."
Kaspersky Details New Triada Version
In an updated analysis published on April 25, 2025, Kaspersky said it had detected over 4,500 Triada infections worldwide. The highest concentration of victims has been recorded in Russia, followed by the United Kingdom, the Netherlands, Germany, Brazil, and the United Arab Emirates.
The starting point of the infection is a shared object library called "binary.so" that's loaded into Zygote, the parent process for every Android application, by an infected ahead-of-time (AOT) compiled Android system framework ("boot-framework.oat") located in the "/system/framework/" directory.
The library is configured to download additional payloads, including infecting cryptocurrency applications with a stealer that intercepts transaction requests and substitutes a victim's crypto wallet address in the relevant text fields with an address belonging to the attackers.
On other apps, it delivers a dropper that can install arbitrary APKs on the device and uninstall any apps, with each module tailored to the targeted app -
- Telegram - Gathers victim's Telegram authentication data, phone number, and account details, as well as decode and execute another payload that monitors incoming messages, checks them against certain pre-defined patterns from a remote server, and deletes them from the client in case of a match
- Instagram - Extracts active Instagram sessions
- WhatsApp - Reads WhatsApp client cryptographic keys to take over victim accounts, and hijack the function associated with sending and receiving messages to deliver arbitrary texts and delete sent messages to cover up the tracks
- Facebook - Steals Facebook authentication cookies from Facebook Lite, Messenger, and Messenger Lite apps, and open arbitrary links in WebView containing JavaScript code to siphon account data
- LINE - Collects LINE app data and information about the victim device
- Skype - Reads internal Skype files every hour and extract a token that allows access to the Skype account
- TikTok - Reads cached TikTok cookies (e.g., msToken) from an internal directory and gather user-related data with the likely goal of simulating a user device and interacting with the app's API
- Browser - Intercepts links being opened in a web browser to advertising resources
- SMS - Monitors incoming SMS messages and sign up victims for paid subscriptions, and send arbitrary SMS messages
- Reverse proxy - Turns the infected device into a reverse proxy
- Call - Executes arbitrary JavaScript code using WebView via the device's phone app to intercept and substitute phone numbers
- Clipper - Tracks victim's clipboard every two seconds and replaces any cryptocurrency wallet address with an attacker-controlled one
"The new version of the Triada Trojan is a multi-stage backdoor giving attackers unlimited control over a victim's device," the company said. "The modular architecture provides its authors with a range of malicious capabilities, including targeted delivery of new modules and mass infection of specific applications."
(The story was updated after publication to include a response from Google and additional details shared by Kaspersky.)
