The counterfeit versions of the models of popular smartphones which are sold at reduced prices have proven to be preloaded with a modified version of an Android malware called Triada.
“More than 2,600 users in different countries have met the new version of Triada, the majority in Russia”, Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.
Triada is the name given to a family of modular Android malware that was First discovered By Russian Cybersecurity Company in March 2016. A remote Trojan horse (RAT), it is equipped to steal a wide range of sensitive information, as well as enlist infected devices in a botnet for other malicious activities.
While malware was previously observed in distribution via intermediate applications published on the Google Play Store (and elsewhere) which Access to the root Compromised phones, subsequent campaigns have operated WhatsApp mods like FMWhatapp and YowhatsApp as a propagation vector.
Over the years, modified versions of Triada have also found their way in Android off -brand tablets, television boxes and digital spotlights as part of a wide range fraud Called Badbox which has exploited compromises of the equipment supply chain and third -party markets for initial access.
This behavior was First observed In 2017, when malware evolved to a preinstalled Android rear door, allowing threat stakeholders to control the devices remotely, inject more malware and exploit them for various illicit activities.
“Triada infects images of the device system via a third party during the production process”, Google note In June 2019. “Sometimes OEMs want to include features that are not part of the Android open source project, such as Face Unlock. OEM can associate with a third party that can develop the desired functionality and send the whole system to this supplier for development.”
The technology giant, at the time, also pointed fingers on a seller called Yehuo or Blazefire as a party probably responsible for the image infection of the system returned by Triada.
The latest malicious software samples analyzed by Kaspersky show that they are located within the framework of the system, which allows it to copy each smartphone process and give attackers an access and unhindered control to carry out various activities –
- Flying user accounts associated with instant messengers and social networks, such as Telegram and Tiktok
- Send WhatsApp and Telegram Tables to other contacts in the name of the victim and delete them to delete traces
- Act like a mower by diverting the contents of the clipboard with cryptocurrency portfolio addresses to replace them with a portfolio under their control
- Monitor web browser activity and replace links
- Replace phone numbers during calls
- Intercept SMS messages and subscribe victims to premium SMS
- Download other programs
- Block network connections to interfere with the normal operation of anti-fraud systems
It should be noted that Triada is not the only malicious software that was preloaded on Android devices during the manufacturing steps. In May 2018, Avast revealed That several hundred Android models, including those of ZTE and Archos, have been shipped preinstalled with another advertising software called Cosiloon.
“The Triada Trojan has been known for a long time, and it is still one of the most complex and dangerous threats to Android,” said Kaspersky researcher Dmitry Kalinin. “Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they sell smartphones with Triada.”
“At the same time, the authors of the new version of Triada actively monetize their efforts. Judging by the analysis of transactions, they were able to transfer around $ 270,000 to various cryptocurrencies to their cryptographic wallets [between June 13, 2024, to March 27, 2025]. “”
The emergence of an updated version of Triada follows the discovery of two different Android banking horses called Crocodilus and TsarbotThe latter targets more than 750 banking, financial and cryptocurrency applications.
The two families of malware are distributed via drop-off applications that pretend to be the legitimate Google services. They also abuse Android accessibility services to remotely control infected devices and make superposition attacks for banking siphon and credit cards details.
Disclosure also comes like anyone. Salvador thief This pretends to be a banking application for Indian users (package name: “com.indusvalley.appinstall“) And is able to collect sensitive user information.
