Arabic
English
Gujarati
Hindi
Kannada
Marathi
Telugu
Embedded in the system firmware, the malware operates undetected and grants attackers’ full control over infected devices
Kaspersky has uncovered a new, sophisticated version of the Triada Trojan preinstalled on counterfeit Android smartphones allegedly sold through unauthorized retailers. Embedded in the system firmware, the malware operates undetected and grants attackers’ full control over infected devices. More than 2,600 users worldwide have been affected.
Unlike typical mobile malware delivered via malicious apps, this Triada variant is integrated into the system framework, infiltrating every running process. It enables a wide range of malicious activity, including:
- Stealing messaging and social media accounts, including Telegram, TikTok, Facebook, and Instagram.
- Sending and deleting messages in apps like WhatsApp and Telegram.
- Substituting cryptocurrency wallet addresses.
- Redirecting phone calls by spoofing caller IDs.
- Monitoring browser activity and injecting links.
- Intercepting, sending, and deleting SMS messages.
- Enabling premium SMS charges.
- Downloading and executing additional payloads.
- Blocking network connections to potentially bypass anti-fraud systems.
“The Triada Trojan has evolved into one of the most advanced threats in the Android ecosystem,” said Dmitry Kalinin, malware analyst at Kaspersky Threat Research. “This new version infiltrates the device at the firmware level—before it even reaches the user—pointing to a supply chain compromise. According to the analysis of the open sources, attackers have already funneled at least $270,000 in stolen cryptocurrency to their wallets, though the actual total may be higher due to the use of untraceable coins like Monero.”
Kaspersky solutions detect this variant as Backdoor.AndroidOS.Triada.z.
First discovered in 2016, Triada has continually evolved, leveraging system-level privileges to execute fraud, hijack SMS authentication, and evade detection. This latest campaign marks a concerning escalation, as attackers potentially exploit supply chain flaws to deploy firmware-level malware on counterfeit devices.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
