Photo credit: Pexels

A newly modified version of the Triada Trojan has been discovered infecting brand-new Android smartphones, giving cybercriminals near-total control over compromised devices. 

According to cybersecurity firm Kaspersky Lab, the malware is being distributed through the firmware of counterfeit smartphones sold in unauthorized online stores, with over 2,600 users in multiple countries—mostly in Russia—already affected.‍

Triada Trojan: A Persistent and Dangerous Threat

Triada is not a new threat; it has long been considered one of the most complex and dangerous malware families targeting Android devices. However, Kaspersky’s latest findings indicate that its new version is pre-installed in counterfeit smartphones, making it impossible for users to detect before purchase.

This version of Triada is embedded deep within the system framework, meaning it automatically integrates into every process on the infected device. Once activated, the malware allows attackers to steal user accounts from popular messaging and social media apps like Telegram and TikTok, while also secretly sending and deleting messages in WhatsApp and Telegram to erase traces of its activity. 

Additionally, Triada enables cybercriminals to manipulate financial transactions by replacing cryptocurrency wallet addresses in targeted applications, tricking victims into unknowingly transferring funds to hacker-controlled accounts.

The malware also grants attackers control over phone calls, allowing them to replace numbers during active conversations and redirect victims to fraudulent contacts. It further monitors browser activity and modifies links to steer users toward malicious websites.

Beyond communications and transactions, Triada can intercept, send, and delete SMS messages—potentially bypassing security verifications—and authorize premium SMS payments without the victim’s knowledge, leading to unauthorized charges. 

Furthermore, it has the capability to download and execute additional malware on the device, expanding its range of threats. To make matters worse, it can block network connections, disrupting fraud detection systems and cybersecurity defenses.

Kaspersky’s analysis of transactions linked to the malware suggests that attackers have stolen at least $270,000 in various cryptocurrencies. However, the true scale of the theft may be much larger, as the cybercriminals also targeted Monero (XMR), a privacy-focused cryptocurrency that is difficult to trace.‍

How to Protect Yourself

To avoid falling victim to this threat, Kaspersky Lab advises users to be cautious when purchasing smartphones. Devices should only be bought from official and authorized retailers, as unauthorized sellers—particularly those offering unusually low prices—may be distributing counterfeits preloaded with malware. 

Before setting up a new device, users should run a thorough security scan to detect any potential threats. Keeping security software up to date is also crucial, as it can help identify and remove emerging malware variants.

For those who frequently conduct cryptocurrency transactions, experts warn that extra precautions should be taken. It is essential to double-check wallet addresses before confirming any transfer, as Triada is capable of manipulating transaction details in real time.