Pierluigi Paganini
April 03, 2025
Kaspersky researchers discovered a new Triada trojan variant preinstalled on thousands of Android devices, enabling data theft upon setup. Kaspersky detected 2,600+ infections in Russia from March 13-27, 2025.
The malware was discovered on counterfeit Android devices mimicking popular smartphone models. The researchers speculate that threat actors behind this variant have compromised the supply chain, so stores may not even suspect that they are selling smartphones infected with Triada
“The new version of the malware is distributed in the firmware of infected Android devices. It is located in the system framework. This means that a copy of Triada gets into every process on the smartphone.” reads the report published by Kaspersky. “The malware has broad functionality and gives attackers almost unlimited control over the gadget”
The malware, embedded in the system framework, provides attackers full control over the device. It can steal accounts, send messages, steal crypto, monitor browsing, intercept SMS, and more.
“the authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies*** to their crypto wallets.” said Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab. “However, in reality, this amount may be larger; the attackers also targeted Monero, a cryptocurrency that is untraceable.”
To protect against malware, experts recommend buying smartphones from authorized distributors and installing security solutions like Kaspersky for Android immediately.
In March 2018, security researchers at Antivirus firm Dr.Web discovered that 42 models of low-cost Android smartphones were shipped with the Android.Triada.231 banking malware.
The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab who considered it the most advanced mobile threat seen to the date of the discovery.
Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities.
The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
The only way to remove the threat is to wipe the smartphone and reinstall the OS.
Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices of several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.
In July 2017, Dr..Web researchers discovered many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
The experts who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
