New Triada Trojan Variant Preinstalled on Android Devices
TL;DR
- A new variant of the Triada Trojan has been discovered preinstalled on Android devices, primarily in Russia.
- The malware is distributed through compromised supply chains, affecting thousands of devices.
- This Trojan grants attackers extensive control over infected devices, stealing data and cryptocurrencies.
New Triada Trojan Variant Preinstalled on Android Devices
Researchers from Kaspersky have uncovered a new variant of the Triada Trojan preinstalled on thousands of Android devices. This malware enables data theft upon device setup, with over 2,600 infections detected in Russia between March 13 and 27, 2025.
Discovery and Impact
The malware was found on counterfeit Android devices mimicking popular smartphone models. Researchers suspect that the threat actors compromised the supply chain, leading to stores unknowingly selling infected devices.
According to Kaspersky’s report, the new Triada variant is embedded in the system framework, allowing a copy of the malware to infiltrate every process on the smartphone. This gives attackers almost unlimited control over the device, enabling them to steal accounts, send messages, intercept SMS, monitor browsing activity, and steal cryptocurrencies.
Financial Implications
Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab, noted:
The authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their wallets. However, the actual amount may be larger, as the attackers also targeted Monero, a cryptocurrency that is untraceable.
Protection Measures
To safeguard against such malware, experts recommend:
- Purchasing smartphones from authorized distributors.
- Installing security solutions like Kaspersky for Android immediately upon device setup.
Historical Context
The Triada Trojan was first identified in 2016 by Kaspersky Lab and was considered one of the most advanced mobile threats at the time. Designed for financial fraud, it hijacks SMS transactions and has a modular architecture, providing a wide range of abilities.
In March 2018, researchers at Dr.Web discovered that 42 models of low-cost Android smartphones were shipped with the Android.Triada.231 banking malware. The malware uses the Zygote parent process to inject its code into all applications on the device, making it extremely persistent. The only way to remove the threat is to wipe the smartphone and reinstall the OS.
Previous Incidents
- In July 2017, Dr.Web researchers found many smartphone models shipped with the Triada Trojan, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
- The infection was traced back to a software developer from Shanghai.
Additional Resources
For further insights, check: