Android
The familiar checkout ritual at the supermarket: once everything’s been scanned — the offer, delivered with a hopeful smile: “Chocolate bar for the road? It’s a good one, and the discount is almost criminal”. If you’re lucky, you get a delicious bonus at a great price. But more often than not they’re trying to sell you something that’s not selling well: either it’s about to expire or it has some other hidden flaw.
Now, imagine you declined that chocolate bar, but it was secretly slipped into your bag anyway, or even worse, into your pocket, where it melted and ruined your clothes, spoiling your day. Well, something similar happened to those who bought knock-offs of popular smartphone brands from online marketplaces. No, they didn’t get a chocolate bar. They walked away with a brand-new smartphone that had the Triada Trojan embedded in its firmware. This is much worse than melted chocolate. Their crypto balances, along with their Telegram, WhatsApp, and social media accounts, could be gone before they could utter “bargain!”. Someone could steal their text messages and a lot more.
Triada? What Triada?
That’s the name we at Kaspersky gave to the Trojan we first discovered and described in detail in 2016. This mobile malware would infiltrate almost every process running on a device, while residing only in the RAM.
The emergence of Triada spelled a new era in the evolution of mobile threats targeting Android. Before Triada, Trojans were relatively harmless — mainly displaying ads and downloading other Trojans. This new threat showed that things would never be the same again.
With time, Android developers fixed the vulnerabilities that early versions of Triada exploited. Recent Android versions restricted even users with root privileges from editing system partitions. Did this stop the cybercriminals? What do you think?!..
Fast-forward to March 2025, and we discovered an adapted version of Triada that takes advantage of the new restrictions. The threat actor infects the firmware even before the smartphones are sold. Pre-installed in system partitions, the malware proves nearly impossible to remove.
What is this new version capable of?
Our Android security solution detects the new version of Triada as Backdoor.AndroidOS.Triada.z. This new version is what’s embedded in the firmware of fake Android smartphones available from online marketplaces. It can attack any application running on the device. This gives the Trojan virtually unlimited capabilities. It can control text messages and calls, steal crypto, download and run other applications, replace links in browsers, surreptitiously send messages in chat apps on your behalf, and hijack social media accounts.
A copy of Triada infiltrates every app launched on an infected device. Besides that, the Trojan includes specialized modules that target popular apps. As soon as the user downloads a legitimate app like Telegram or TikTok, the Trojan embeds itself in it and starts causing harm.
Telegram. Triada downloads two modules to compromise Telegram. The first one initiates malicious activity once a day, connecting to a command-and-control (C2) server. It sends the victim’s phone number to the criminals, along with complete authentication data — including the access token. The second module filters all messages, interacting with a bot (which didn’t exist at the time of our research), and deleting notifications about new Telegram logins.
Instagram. Once a day, the Trojan runs a malicious task to search for active session cookies and forward the data to the attackers. These files help the criminals assume full control over the account.
Browsers. Triada threatens a number of browsers: Chrome, Opera, Mozilla, and some others. The full list is available in the Securelist article. The module connects to the C2 server over TCP and randomly redirects legitimate links in the browsers to advertising sites for now. However, because the Trojan downloads redirect links from its C2 server, attackers can direct users to phishing sites at any time.
WhatsApp. Again, there are two modules. The first one collects and sends data about the active session to the C2 server every five minutes — giving the attackers full access to the victim’s account. The second one intercepts the client functions for sending and receiving messages, which allows the malware to send and then delete arbitrary instant messages to cover its tracks.
LINE. The dedicated Triada module collects internal app data, including authentication data (access token), every 30 seconds, and forwards it the C2 server. In this case, too, someone else assumes full control of the user’s account.
Skype. Although Skype is about to be retired, Triada still has a module for infecting it. Triada uses several methods to obtain the authentication token and then sends it to the C2 server.
TikTok. This module can collect a lot of data about the victim’s account from cookie files in the internal directory, and also extract data required for communicating with the TikTok API.
Facebook. Triada is armed with two modules for this app. One of them steals authentication cookies, and the other sends information about the infected device to the C2 server.
Of course, there are also modules for SMS and calls. The first SMS module allows the malware to filter all incoming messages and extract codes from them, respond to some messages (likely to subscribe victims to paid services) and send arbitrary SMS messages when instructed by the C2 server. The second, auxiliary module disables the built-in Android protection against SMS Trojans that requests user permission before sending messages to short codes (Premium SMS), which could be used to confirm paid subscriptions.
The call module embeds itself in the phone app, but it’s most likely still under development. We discovered that it partially implements phone number spoofing — something we expect to be completed soon.
Another module, a reverse proxy, turns the victim’s smartphone into a reverse proxy server, giving attackers access to arbitrary IP addresses on behalf of the victim.
Not unexpectedly, Triada also targets crypto owners, with a special surprise awaiting them: a clipper. The Trojan watches the clipboard for crypto wallet addresses, substituting one of the attackers’ own. A crypto stealer analyzes the victim’s activity, replacing crypto wallet addresses with a fraudulent addresses anywhere it can, whenever an attempt is made to withdraw cryptocurrency. It even interferes with button tap handlers inside apps and replaces images with generated QR codes that link to the attackers’ wallet addresses. The criminals have managed to steal more than US$264 000 in various cryptocurrencies since June 13, 2024 with the help of these tools.
See our Securelist report for a full list of Triada features and a detailed technical analysis.
How the malware infiltrates smartphones.
In every infection case that we are aware of, the firmware name on the device differed from the official one by a single letter. For example, the official firmware was TGPMIXM, while the infected phones had TGPMIXN. We found posts on relevant discussion boards where users complained about counterfeit devices purchased from online stores.
It’s likely that a stage in the supply chain was compromised, while the stores had no idea they were distributing devices infected with Triada. Meanwhile, it’s practically impossible to determine exactly when the malware was placed inside the smartphones.
How to protect yourself from Triada
The new version of the Trojan was found pre-installed on counterfeit devices. Therefore, the best way to avoid Triada infection is to buy smartphones from authorized dealers only. If you suspect that your phone may have been infected with Triada (or another Trojan), here are our recommendations.
- Refrain from using any of the potentially compromised apps listed above or making any financial transactions — including cryptocurrency.
- Install Kaspersky for Android on your smartphone to check if it’s indeed infected.
- If Triada is found on the device, reflash the smartphone with the official firmware yourself, or contact the local service center. Expect sudden changes to your smartphone’s specs: besides the pre-installed Trojan, the fake firmware often overstated the RAM and storage.
- If your smartphone is found to be infected with Triada, check all messaging and social media apps that may have been compromised. For chat apps, make sure you terminate any sessions still running on devices you don’t recognize, and check your privacy settings according to our guide WhatsApp and Telegram account hijacking: How to protect yourself against scams. If you suspect that your instant messaging accounts have been hijacked, read What to do if your WhatsApp account gets hacked or What to do if your Telegram account is hacked. Terminate all social media sessions on all your devices and change your passwords. Kaspersky Password Manager can help you with that.
- Our Privacy Checker portal offers a step-by-step guide on configuring privacy in various applications and operating systems in general.
Triada is far from the only mobile Trojan. Follow these links for our stories about other Android malware:
Tips