A new wave of counterfeit Android smartphones has been discovered carrying a preloaded variant of the notorious Triada malware, infecting more than 2,600 devices worldwide — with Russia being the most impacted.
According to a research-backed report by cybersecurity firm Kaspersky, these infections were recorded between March 13 and March 27, 2025, and stem from budget Android phones that are unauthorized clones of popular models.
⚠️ What Is Triada Malware?
Triada is a modular Remote Access Trojan (RAT) that has plagued the Android ecosystem since its discovery in March 2016. It’s engineered to steal sensitive data, gain full control of infected devices, and even conscript them into botnets for malicious activities.
Originally distributed via shady apps on the Google Play Store, Triada evolved to spread through popular WhatsApp mods like FMWhatsApp and YoWhatsApp. It has since become a pre-installed threat on counterfeit Android devices — a severe form of supply chain attack.
🛠 How It Works
Kaspersky's latest findings reveal that this new variant of Triada resides within the Android system framework, granting it root-level permissions and the ability to affect every app and process on the device. Its capabilities include:
-
Hijacking social media accounts (Telegram, TikTok)
-
Silently sending and deleting messages on WhatsApp/Telegram
-
Replacing copied cryptocurrency wallet addresses
-
Redirecting browser links and modifying call contacts
-
Subscribing users to premium SMS services
-
Downloading additional malware payloads
-
Blocking network access to avoid anti-fraud detection
🔍 How Did It Get There?
According to Google, Triada typically gets embedded during the device production stage, especially when Original Equipment Manufacturers (OEMs) outsource custom features like face unlock to third-party developers. These developers sometimes return compromised system images, infecting the phone before it even reaches the user.
Back in 2019, Google named Yehuo/Blazefire as a probable vendor responsible for spreading Triada through manipulated firmware.
🧠 Expert Insight
Worryingly, the malware isn’t just for surveillance — it’s being actively monetized. Between June 13, 2024, and March 27, 2025, attackers reportedly transferred over $270,000 in cryptocurrency to their wallets, based on blockchain analysis.
🔒 Not an Isolated Threat
Triada isn't alone. In recent months, other advanced Android malware strains have emerged:
-
Crocodilus & TsarBot – Two banking trojans targeting 750+ financial apps using fake Google services and accessibility abuse.
-
Salvador Stealer – A deceptive malware disguised as an Indian banking app, designed to harvest sensitive credentials.
These threats continue to evolve, and attackers are exploiting non-Play Protect certified Android devices, which don’t undergo Google’s security and compatibility testing.
✅ Google Responds
Following this discovery, a Google spokesperson clarified to The easy4hub News:
🛡 What You Should Do
-
✅ Buy devices only from trusted and authorized retailers
-
✅ Verify Play Protect certification before purchasing
-
✅ Regularly scan your device using trusted mobile security apps
-
✅ Avoid third-party app stores and unofficial WhatsApp mods
📌 Final Thoughts
The Triada malware continues to pose a significant threat to Android users, especially those who unknowingly purchase low-cost clone smartphones. This incident reinforces the critical need for supply chain security, certification verification, and user awareness in combating mobile cyber threats.