It has been found that the counterfeit versions of popular smartphone models, which are sold at low prices, are preloaded with a fixed version of Android malware called Triada.
“More than 2,600 users from various countries have come across new versions of Triada, the majority of Russia,” Kaspersky said in the report. The infection was recorded between March 13th and 27th, 2025.
Triada is the name given to the modular Android malware family, first discovered by a Russian cybersecurity company in March 2016. Remote Access Trojans (RATs) are equipped to not only steal a wide range of confidential information, but also to enlist infected devices into botnets for other malicious activities.
Malware had previously been observed, but was distributed via root access to compromised phones via intermediary apps published on the Google Play Store (and elsewhere), but subsequent campaigns used WhatsApp mods such as FMWhatsApp and YowhatsApp as propagation vectors.
Over the years, the modified version of Triada has found its way to unbranded Android tablets, TV boxes and digital projectors as part of a wide range of fraud schemes called Badbox, which leverages the third-party market for compromise in the hardware supply chain and early access.
This behavior was first observed in 2017 when malware evolved into a pre-installed Android framework backdoor, allowing threat actors to remotely control the device, inject more malware and exploit it for a variety of illegal activities.
Google said in June 2019. “OEMs may include features that are not part of Android open source projects, such as Face Unlock. OEMs may partner with third parties where the OEM can develop the functionality they want and send the entire system to the vendor for development,” Google said.
At the time, the tech giant pointed his finger at a vendor named Yehuo or Blazefire who thought it was responsible for infecting the Returned System Image with Triada.
The latest samples of malware analyzed by Kaspersky show that they are in the system framework, so they can be copied into all the processes on your smartphone and provide free access and control to attackers to perform various activities.
Steal user accounts that steal user accounts associated with instant messengers, such as Telegram and Tiktok, send whatsapp and Telegram messages to other contacts on behalf of the victim, delete them, hijack the clipboard content to remove clipper content, hijack the Criptocurrency Wallet address and replace it with call call exchanges via Cliptocurrency Wallet address. Download other programs to subscribe to Premium SMS Victims, block network connections and interfere with the normal functioning of the anti-fulard system
It is worth noting that it is not just malware preloaded on Android devices during the manufacturing stage. In May 2018, Avast revealed that hundreds of Android models, including those like ZTE and Archos, were pre-installed with another adware called Cosiloon.
“The Triadatrojan horse has been known for a long time, but it is still one of the most complicated and dangerous threats for androids,” said Dmitry Kalinin, a researcher at Kaspersky. “Perhaps one of the phases is that the supply chain is being breached, so stores may not even suspect that they are selling smartphones on Triada.”
“At the same time, the authors of the newer version of Triada are actively monetizing their efforts. Judging from the analysis of the transactions, they were able to transfer around $270,000 to the cryptocurrency into the cryptocurrency. [between June 13, 2024, to March 27, 2025]. ”
The emergence of an updated version of Triada follows the discovery of two different Android banking Trojans called Crocodilus and Tsarbot, the latter covering over 750 banking, financial and cryptocurrency applications.
Both malware families are distributed via Dropper apps that are impersonating legal Google services. It also exploits Android accessibility services to remotely control infected devices and overlay attacks on Siphon Banking credentials and credit card details.
The disclosure also details a new Android malware strain (package name: “com.indusvalley.appinstall”) called Salvador Steeler, which disguises as a banking application that corresponds to Indian users, allowing you to harvest sensitive user information.
Source link
