Counterfeit Android Phones Preloaded with Triada Malware Infect Over 2,600 Devices

Counterfeit versions of popular smartphones, sold at reduced prices, have been discovered preloaded with a modified variant of the Android malware Triada.

According to a Kaspersky report, more than 2,600 users across various countries have encountered this new version, with most cases recorded in Russia. The infections occurred between March 13 and 27, 2025.

Triada, a modular Android malware family first identified by Kaspersky in March 2016, is a remote access trojan (RAT) capable of stealing sensitive data and recruiting infected devices into a botnet for malicious activities. Previously, Triada was spread through intermediary apps on the Google Play Store and third-party platforms that gained root access to compromised devices. Later campaigns used WhatsApp mods like FMWhatsApp and YoWhatsApp for distribution.

Over time, altered versions of Triada have infiltrated off-brand Android tablets, TV boxes, and digital projectors, often as part of the widespread BADBOX fraud scheme. This operation exploits supply chain vulnerabilities and third-party marketplaces for initial access. The shift toward pre-installed malware was first observed in 2017 when Triada evolved into an Android framework backdoor, granting attackers remote control over devices, enabling further malware injection and illicit activities.

Google highlighted this issue in June 2019, noting that Triada infects device system images during production via third-party vendors. Some OEMs seeking additional features, such as face unlock, outsource development, inadvertently allowing malware to be embedded in system images. At the time, Google pointed to a vendor named Yehuo or Blazefire as a likely source of these compromised images.

Kaspersky’s latest analysis reveals that the newest Triada samples reside within the system framework, enabling deep integration and unrestricted control over infected devices. The malware facilitates:

• Theft of user accounts linked to messaging and social platforms like Telegram and TikTok
• Silent transmission of WhatsApp and Telegram messages from the victim’s account, with automatic deletion to erase traces
• Clipboard hijacking to replace cryptocurrency wallet addresses with attacker-controlled ones
• Web browser activity monitoring and link manipulation
• Phone number substitution during calls
• SMS interception and unauthorized premium subscription sign-ups
• Downloading additional malicious programs
• Blocking network connections to disrupt anti-fraud mechanisms

Triada is not the only malware preloaded onto Android devices at the manufacturing stage. In May 2018, Avast revealed that numerous Android models, including those from ZTE and Archos, were shipped with pre-installed adware known as Cosiloon.

“The Triada Trojan has been known for a long time and remains one of the most complex and dangerous threats to Android,” said Kaspersky researcher Dmitry Kalinin. “At some stage, the supply chain is likely compromised, meaning retailers may unknowingly sell smartphones infected with Triada.”

Kalinin also noted that the creators of this new Triada variant are actively profiting from their operation. Blockchain analysis indicates that between June 13, 2024, and March 27, 2025, they transferred approximately $270,000 in various cryptocurrencies to their wallets.

The resurgence of Triada coincides with the discovery of two new Android banking trojans, Crocodilus and TsarBot, the latter of which targets over 750 financial and cryptocurrency applications. These malware families are spread via dropper apps impersonating legitimate Google services. They exploit Android’s accessibility features to gain remote control of infected devices and carry out overlay attacks to steal banking credentials and credit card details.

Additionally, ANY.RUN has reported a new Android malware strain, Salvador Stealer, disguised as an Indian banking app (package name: “com.indusvalley.appinstall”). This malware is designed to harvest sensitive user information.