Triada Returns with a Vengeance: Preinstalled Trojan Targets Cryptocurrency, Messenger Accounts, and Phone Calls

In a startling revelation for the cybersecurity community, Kaspersky researchers have identified a dangerous new variant of the infamous Android trojan Triada. This iteration goes far beyond previous capabilities stealing cryptocurrency, hijacking messenger accounts, intercepting calls, and even embedding itself so deeply into smartphones that users may be compromised before they ever open the box. With more than 2,600 victims across multiple countries most notably Russia this malware campaign marks a new chapter in mobile cybercrime. Here’s what you need to know.

The Rise of Triada 2.0: A Trojan Born from Supply Chain Tampering: Triada has been on the radar of cybersecurity experts for years. First discovered in 2016, it was once labeled “one of the most advanced mobile threats” by researchers at Kaspersky and Google. Now, in 2025, Triada has evolved once again — and its newest iteration is both deeply embedded and highly lucrative for cybercriminals.

The newly discovered version, tracked as Backdoor.AndroidOS.Triada.z, is not delivered through traditional means like malicious downloads or phishing messages. Instead, it comes preinstalled on counterfeit Android devices being sold through unauthorized online marketplaces. These are fake replicas of popular smartphone brands, typically offered at steep discounts, luring unsuspecting buyers into the trap.

What makes this development especially alarming is the point of infection: the malware resides within the system framework of the device’s firmware. That means Triada is not just an app or a rootkit — it becomes part of the operating system itself, launching with every process, gaining deep and persistent control over the entire device.

Capabilities of the New Triada Variant

Kaspersky’s analysis shows that this Trojan has undergone significant upgrades. Among its broad set of malicious functionalities:

• Account Theft from Messaging Apps: It targets login credentials from apps such as Telegram and TikTok, with the ability to silently access messages and profile data.
• Impersonation in Communications: Triada can send and delete messages on platforms like WhatsApp (owned by Meta, banned in Russia) and Telegram without the user’s consent, allowing it to erase its traces and send instructions or scams to contacts.
• Cryptocurrency Theft: The trojan detects crypto wallet addresses in use and replaces them with wallets controlled by the attackers, silently diverting funds during transactions. Evidence shows successful siphoning of over $270,000 in various cryptocurrencies, possibly more.
• Call Hijacking: Triada can replace phone numbers in outgoing calls, redirecting users to attacker-controlled numbers instead of the intended recipients. This feature could be used for social engineering, fraud, or intercepting two-factor authentication calls.
• Browser Activity Monitoring: The malware actively tracks browser activity and replaces URLs, possibly leading users to phishing sites.
• SMS Manipulation: Triada can read, send, and delete SMS messages, facilitating interception of 2FA codes and communication with premium SMS services.
• Premium SMS Abuse: The trojan can authorize and initiate premium-rate SMS services, causing financial losses to victims.
• Download and Execution of Additional Malware: The Trojan has the capacity to download and execute other malicious apps, potentially layering multiple types of threats on a single device.
• Disruption of Network Connections: It can block anti-fraud systems or prevent certain network activities, making detection and removal even harder.

Distribution Method: Infected Devices at the Source

Unlike earlier versions of Triada, this variant is embedded at the firmware level before the device reaches the consumer. Kaspersky’s experts suspect a supply chain compromise, meaning somewhere between manufacturing and retail, malicious firmware is being introduced.

The infected phones are sold primarily through non-authorized online retailers posing as legitimate distributors, often marketing counterfeit phones as high-end brands. The malware cannot be removed by factory reset or regular antivirus tools due to its placement in the firmware’s system partition.

From March 13 to March 27, 2025, Kaspersky reported Triada detections on over 2,600 devices globally, with the majority located in Russia. These statistics come from anonymized telemetry from Kaspersky’s Android security solutions.

Financial Impact and Cryptocurrency Laundering

One of the more concerning outcomes of this campaign is the direct monetization of Triada’s capabilities. Through blockchain analysis, experts tracked stolen funds exceeding $270,000 in cryptocurrency. The attackers frequently use Monero (XMR) for laundering — a privacy-centric cryptocurrency that’s notoriously hard to trace, adding another layer of complexity to law enforcement efforts.

Expert Commentary

“Triada remains one of the most complex and persistent mobile threats we’ve ever seen. Its presence in preinstalled firmware means the infection begins even before the user activates their device,” said Dmitry Kalinin, a cybersecurity specialist at Kaspersky. “This is a clear indication that supply chain attacks in the mobile space are no longer theoretical — they’re actively being weaponized.”

Kalinin also emphasized that the true number of affected devices may be significantly higher, given the silent nature of the trojan and the global availability of counterfeit phones through e-commerce platforms.

10 Practical Ways to Protect Yourself Against Threats Like Triada

1. Buy smartphones only from authorized retailers or official brand stores. Avoid tempting deals from unknown or unverified online marketplaces.
2. Always inspect the packaging and model carefully. Counterfeit devices often contain subtle physical inconsistencies.
3. Immediately install a reputable mobile security solution after purchase. Tools like Kaspersky for Android can detect threats like Triada, even at the system level.
4. Avoid rooting your phone, which can disable important security controls and make infections worse.
5. Regularly update your operating system and security apps. Even on counterfeit phones, keeping everything up to date is critical.
6. Monitor cryptocurrency transactions carefully. Always double-check wallet addresses before finalizing transfers.
7. Enable multi-factor authentication (MFA) using hardware tokens or authentication apps, rather than relying on SMS.
8. Be cautious when installing apps, even from official stores. Review permissions and avoid apps requesting access to sensitive functions without clear justification.
9. Use call verification apps that help detect suspicious number spoofing or redirection during phone calls.
10. Report counterfeit devices or malware infections to cybersecurity organizations and mobile manufacturers. This helps track and reduce such threats.

Conclusion: A Wake-Up Call for the Mobile Ecosystem

The re-emergence of Triada in such a deeply embedded form is a warning shot for the entire mobile ecosystem from manufacturers and firmware suppliers to cybersecurity professionals and end-users. It underscores the importance of supply chain security, which remains one of the most overlooked aspects of mobile device safety.

For cybersecurity professionals, this incident offers vital lessons: malware doesn’t always come in through the front door. With attackers getting smarter and more strategic, the need for firmware integrity verification, deep behavioral analytics, and ongoing threat intelligence has never been more critical.

As the mobile world continues to expand, so does the attack surface. Triada’s return is not just a technical concern — it’s a strategic cybersecurity challenge demanding global attention, collaboration, and swift action.