A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.

Kaspersky researchers report that this campaign mainly impacts Russian users, with at least 2,600 confirmed infections from March 13 to 27, 2025, based on visibility from its mobile protection tools.

The security researchers noted that Triada was found on counterfeit versions of popular smartphone models sold at online stores at discounted prices to attract the interest of unsuspecting buyers.

Triada is a modular Android malware first discovered in 2016, considered a pioneer at the time for operating almost entirely in the device’s RAM to evade detection.

Since then, there have been multiple reports of Triada hiding in the firmware of low-cost Android phones sold through dubious unofficial retail channels, making it a stealthy and also persistent threat that can’t be removed without reflashing the ROM.

Kaspersky’s latest report indicates that the newest version of Triada remains highly evasive, hiding in Android’s system framework and copying itself to every process on the smartphone.

The latest Triada malware variant performs the following actions on infected devices:

• Steals accounts from messengers and social media
• Sends and deletes messages via WhatsApp and Telegram to impersonate users
• Hijacks cryptocurrency by replacing wallet addresses in apps
• Tracks browsing activity and swaps links
• Spoofs phone numbers during calls to reroute conversations
• Intercepts, sends, and deletes SMS messages
• Enables premium SMS to charge paid services
• Downloads and runs additional apps remotely
• Blocks network connections to evade detection or disrupt defenses

Transaction analysis shows that the new Triada trojan has stolen at least $270,000 worth of cryptocurrency. However, the total amount stolen by the operation is unknown as it also involves the hard-to-trace Monero cryptocurrency.

Kaspersky isn’t sure how the devices are infected with Triada but hypothesizes it’s the result of a supply chain attack.

“Its [Triada’s] new version is embedded into smartphone firmware before the devices even reach users,” commented Kaspersky’s Dmitry Kalinin.

“It is likely that the supply chain is compromised at some point, so even the stores may not realize they’re selling phones with Triada.”

To mitigate this risk, only buy smartphones from authorized distributors.

When in doubt, reflash your device using a clean system image from Google, or a trustworthy third-party ROM like LineageOS or GrapheneOS.