A new version of the Triada trojan has been discovered preinstalled on thousands of Android devices, giving cybercriminals the ability to steal data as soon as the devices are set up. According to Kaspersky researchers, this malware campaign has primarily targeted Russian users, with at least 2,600 infections reported between March 13 and 27, 2025. These infections were identified through Kaspersky's mobile protection tools.
Triada was found on fake versions of popular smartphone models sold online at lower prices. These low-cost devices attract unsuspecting buyers who may not realize they are purchasing compromised products. The malware was first discovered in 2016 and has changed over time. It now hides in Android phone firmware. This makes it a constant threat because you cannot remove it unless you reflash the device's software, as reported by Bleeping Computer.
The latest version of Triada is very hard to detect. It hides itself in the Android system and copies itself into all the processes on the phone. The malware can steal accounts from messaging and social media apps, intercept and manipulate SMS messages, hijack cryptocurrency transactions by replacing wallet addresses, track browsing activity to redirect links, and spoof phone numbers during calls to reroute conversations. Not just this, but it also allows premium SMS services to charge users for paid services without getting their approval, and it allows users to download and run extra apps from a distance.
Kaspersky's analysis shows that this version of Triada has already stolen at least $270,000 worth of cryptocurrency. Some transactions involve Monero, a difficult-to-trace kind of cryptocurrency.
The researchers think the infection is a supply chain attack. Dmitry Kalinin from Kaspersky says Triada is in smartphone firmware before users get the devices. He also says retailers may not know they're selling phones with malware.
To reduce the risk of falling victim to such threats, experts recommend purchasing smartphones only from authorized distributors.