Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada.
“More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia,” Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.
Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it’s equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities.
While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vector.
Over the years, altered versions of Triada have also found their way into off-brand Android tablets, TV boxes, and digital projectors as part of a widespread fraud scheme called BADBOX that has leveraged hardware supply chain compromises and third-party marketplaces for initial access.
This behavior was first observed in 2017, when the malware evolved to a pre-installed Android framework backdoor, allowing the threat actors to remotely control the devices, inject more malware, and exploit them for various illicit activities.
“Triada infects device system images through a third-party during the production process,” Google noted in June 2019. “Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development.”
The tech giant, at that time, also pointed fingers at a vendor that went by the name Yehuo or Blazefire as the party likely responsible for infecting the returned system image with Triada.
The latest samples of the malware analyzed by Kaspersky show that they are located in the system framework, thus allowing it to be copied to every process on the smartphone and giving the attackers unfettered access and control to perform various activities –
- Steal user accounts associated with instant messengers and social networks, such as Telegram and TikTok
- Stealthily send WhatsApp and Telegram messages to other contacts on behalf of the victim and delete them in order to remove traces
- Act as a clipper by hijacking clipboard content with cryptocurrency wallet addresses to replace them with a wallet under their control
- Monitor web browser activity and replace links
- Replace phone numbers during calls
- Intercept SMS messages and subscribe victims to premium SMS
- Download other programs
- Block network connections to interfere with the normal functioning of anti-fraud systems
It’s worth noting that Triada is not the only malware that has been preloaded on Android devices during the manufacturing stages. In May 2018, Avast revealed that several hundred Android models, including those from like ZTE and Archos, were shipped pre-installed with another adware called Cosiloon.
“The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android,” Kaspersky researcher Dmitry Kalinin said. “Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada.”
“At the same time, the authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets [between June 13, 2024, to March 27, 2025].”
The emergence of an updated version of Triada follows the discovery of two different Android banking trojans called Crocodilus and TsarBot, the latter of which targets over 750 banking, financial, and cryptocurrency applications.
Both the malware families are distributed via dropper apps that impersonate legitimate Google services. They also abuse Android’s accessibility services to remotely control the infected devices, and conduct overlay attacks to siphon banking credentials and credit card details.
The disclosure also comes as ANY.RUN detailed a new Android malware strain dubbed Salvador Stealer that masquerades as a banking application catering to Indian users (package name: “com.indusvalley.appinstall“) and is capable of harvesting sensitive user information.
