Researchers have discovered counterfeit versions of popular smartphone models that have been selling at discounted prices, preloaded with a modified version of the Android malware known as Triada.
According to a recent report by Kaspersky, over 2,600 users across various countries have encountered the new version of Triada, with the majority of infections found in Russia, between March 13 and 27, 2025.
Triada is a type of modular Android malware that was first identified by Kaspersky in March 2016. This remote access trojan (RAT) is capable of stealing sensitive information and recruiting infected devices into a botnet for malicious activities.
In the past, Triada was distributed through intermediate apps on the Google Play Store and other platforms that gained root access to compromised phones. However, recent campaigns have used modified WhatsApp applications, such as FMWhatsApp and YoWhatsApp, as a means of propagation.
Modified versions of Triada have also been found on off-brand Android tablets, TV boxes, and digital projectors as part of a widespread fraud scheme known as BADBOX, which leverages hardware supply chain compromises and third-party marketplaces for initial access.
This behavior was first observed in 2017, when the malware evolved into a pre-installed Android framework backdoor, enabling threat actors to remotely control devices, inject more malware, and exploit them for illicit activities.
Google noted in June 2019 that “Triada infects device system images through a third-party during the production process.” The company pointed out that OEMs may partner with third-party vendors to develop features not included in the Android Open Source Project, such as face unlock, and these vendors may inadvertently infect the system image with Triada.
The latest samples of the malware analyzed by Kaspersky show that they are located in the system framework, granting attackers unlimited access and control to perform various activities, including:
- Stealing user accounts associated with instant messengers and social networks, such as Telegram and TikTok
- Sending WhatsApp and Telegram messages on behalf of the victim and deleting them to remove traces
- Acting as a clipper by hijacking clipboard content with cryptocurrency wallet addresses to replace them with a wallet under their control
- Monitoring web browser activity and replacing links
- Replacing phone numbers during calls
- Intercepting SMS messages and subscribing victims to premium SMS services
- Downloading other programs
- Blocking network connections to interfere with anti-fraud systems
It’s worth noting that Triada is not the only malware that has been preloaded on Android devices during manufacturing. In May 2018, Avast revealed that several hundred Android models, including those from ZTE and Archos, were shipped with pre-installed adware called Cosiloon.
Kaspersky researcher Dmitry Kalinin stated, “The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android. Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada.”
“At the same time, the authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets between June 13, 2024, and March 27, 2025.”
The emergence of an updated version of Triada follows the discovery of two different Android banking trojans called Crocodilus and TsarBot, the latter of which targets over 750 banking, financial, and cryptocurrency applications.
Both malware families are distributed via dropper apps that impersonate legitimate Google services and abuse Android’s accessibility services to remotely control infected devices and conduct overlay attacks to siphon banking credentials and credit card details.
The disclosure also comes as ANY.RUN detailed a new Android malware strain dubbed Salvador Stealer that masquerades as a banking application catering to Indian users and is capable of harvesting sensitive user information.
