Counterfeit Smartphones Found Preloaded with Advanced Android Malware

Fake versions of popular smartphones sold at bargain prices are turning out to be more than just cheap imitations. Security researchers have discovered that these devices are shipping with a pre-installed variant of Triada, a sophisticated Android malware capable of giving attackers full control over infected phones.

Over 2,600 Users Affected Worldwide

According to a report by cybersecurity firm Kaspersky, more than 2,600 users across multiple countries encountered the latest version of Triada between March 13 and March 27, 2025. The majority of the infections have been recorded in Russia, but experts believe the impact could be much broader.

Triada, first detected in 2016, is a modular remote access trojan (RAT) known for its ability to steal sensitive user data, hijack infected devices, and enlist them into botnets. This malware has evolved over the years, making its way into various Android devices through multiple channels, including third-party apps, modified WhatsApp versions, and even compromised hardware supply chains.

How Triada Gets into Android Devices

The latest attack vector appears to involve a serious compromise during the smartphone manufacturing process. Instead of being introduced via app installations, Triada is embedded directly into the Android system framework before the device even reaches consumers.

Google previously shed light on how such infections occur. In a 2019 report, the tech giant explained that certain original equipment manufacturers (OEMs) partner with third-party developers to add custom features, such as facial recognition. During this process, malicious actors inject the malware into the system image before the final version is shipped out.

In one such case, Google pointed fingers at a vendor named Yehuo or Blazefire, suggesting they were responsible for infecting device firmware with Triada. The malware then spreads throughout the system, giving attackers near-total control.

What Can Triada Do?

Once embedded in a device, Triada operates in the background, executing a wide range of malicious activities. Kaspersky’s analysis of the new Triada variant reveals several disturbing capabilities:

• Stealing user accounts associated with messaging apps like Telegram and TikTok.
• Secretly sending and deleting messages on WhatsApp and Telegram to avoid detection.
• Hijacking cryptocurrency transactions by modifying clipboard content.
• Spying on browser activity and replacing website links.
• Manipulating phone calls by changing contact numbers in real time.
• Intercepting SMS messages and enrolling victims in premium services.
• Blocking network access to prevent security updates and fraud detection.
• Downloading additional malware to further compromise the device.

Pre-Installed Malware: A Growing Threat

Triada is not the only malware discovered in factory-shipped Android devices. Back in 2018, Avast found that several models from manufacturers like ZTE and Archos were shipping with an adware called Cosiloon. More recently, Android devices have also been targeted by other advanced banking trojans such as Crocodilus and TsarBot.

These malware families use dropper apps disguised as legitimate Google services to gain access to user data. They take advantage of Android’s accessibility features to conduct overlay attacks, tricking users into entering their banking credentials on fake login screens.

Triada’s Financial Footprint: $270,000 in Crypto Transactions

The creators of the new Triada variant are not just infecting devices for control; they are also actively making money from their operations. Kaspersky researchers traced cryptocurrency transactions linked to the malware and found that attackers had transferred around $270,000 in various digital assets between June 13, 2024, and March 27, 2025.

Dmitry Kalinin, a researcher at Kaspersky, warned that Triada remains one of the most dangerous Android threats. “At some stage, the supply chain is compromised, meaning even retailers may not know they are selling infected devices,” he said.

What This Means for Consumers

For users who unknowingly purchase these infected smartphones, the risks are severe. Sensitive personal and financial data can be stolen, leading to identity theft, financial losses, and unauthorized access to social media and messaging accounts.

To minimize the risk of falling victim to such attacks, experts recommend:

• Buying smartphones from reputable retailers and official brand stores.
• Avoiding ultra-cheap phone deals that seem too good to be true.
• Checking for unusual behavior on a new device, such as unexplained app activity or battery drain.
• Installing a reputable mobile security app to detect and remove potential threats.

With malware threats evolving and hackers finding new ways to compromise devices at the manufacturing level, smartphone users need to be more vigilant than ever before. As authorities and cybersecurity experts continue to investigate these incidents, consumers must stay cautious and informed to protect their data and digital lives.