Kaspersky uncovers a sophisticated cyber threat to users of counterfeit smartphones
ISLAMABAD : Cybersecurity company Kaspersky has identified a newly upgraded and highly complex variant of the Triada Trojan, which has been found pre-installed on counterfeit Android phones allegedly distributed by unauthorized sellers.
The malware is embedded directly into the device’s system firmware, allowing it to operate in the background without detection and giving attackers full remote access to the compromised phones. Over 2,600 users around the globe have reportedly been impacted.
Unlike most mobile threats that are spread through malicious applications, this version of the Triada Trojan is deeply integrated into the core of the operating system. It attaches itself to all active processes, enabling a wide array of harmful activities.
These include hijacking social media and messaging accounts such as Telegram, TikTok, Facebook, and Instagram; manipulating messages on platforms like WhatsApp and Telegram; altering cryptocurrency wallet addresses; faking caller IDs to redirect calls; tracking browsing behavior; injecting malicious links; tampering with SMS messages; triggering premium-rate SMS services; downloading further malicious files; and restricting network access to avoid security checks.kaspersky internet security
Dmitry Kalinin, a malware expert at Kaspersky Threat Research, remarked, “Triada has become one of the most sophisticated malware threats within the Android environment. This latest version compromises the device at the firmware stage—even before the user starts using it—suggesting a breach within the supply chain.”
Kalinin further revealed that open-source data suggests the hackers have already laundered at least $270,000 in stolen cryptocurrency through their digital wallets. The actual sum could be higher, especially if anonymous digital currencies like Monero were used.
Kaspersky’s security products identify this malware as Backdoor.AndroidOS.Triada.z.
Originally detected in 2016, Triada has continuously evolved to exploit system-level permissions, commit fraud, intercept verification codes, and remain hidden from security tools. This new wave of attacks is particularly alarming, as it indicates attackers may be leveraging vulnerabilities in the supply chain to install malware directly into the firmware of counterfeit Android devices.
