Cybercriminals are distributing counterfeit Android smartphones embedded with powerful malware designed to steal cryptocurrency and sensitive data, according to a new warning from cybersecurity firm Kaspersky.
In an April 1 statement, Kaspersky revealed that thousands of fake Android devices have been sold online at discount prices—loaded with a preinstalled version of the Triada Trojan, a sophisticated malware that allows attackers to hijack the device before it even reaches the user.
“The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android,” said Dmitry Kalinin, cybersecurity expert at Kaspersky Labs.
Unlike traditional malware infections, which usually occur after a user downloads malicious software or clicks a phishing link, the infected smartphones are compromised at the firmware level, meaning the malware is embedded before the device even leaves the factory.
Kalinin explained that the trojan infects every process on the device, allowing attackers to:
- Replace cryptocurrency wallet addresses
- Steal user account credentials
- Intercept two-factor authentication codes
- Gain almost unlimited control over the device
“The authors of the new version of Triada are actively monetizing their efforts; judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets,” he said.
“However, in reality, this amount may be larger; the attackers also targeted Monero, a cryptocurrency that is untraceable.”
Global Impact with Supply Chain Concerns
Kaspersky said it has identified 2,600 confirmed infections in early 2025 alone, with the majority of cases originating in Russia. However, the threat is believed to be global in nature, as counterfeit phones continue to circulate through online marketplaces and unauthorized vendors.
Even more concerning, Kalinin warned that online sellers may not even be aware that the devices they’re selling are infected.
“Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada,” he said.
First identified in 2016, Triada is notorious for targeting financial apps and messaging platforms like WhatsApp, Facebook, and Gmail. Previously spread through phishing campaigns or malicious downloads, its latest version embeds itself directly into the device’s firmware, giving users little chance to detect or remove it.
How to Stay Safe?
Kaspersky recommends the following to avoid falling victim:
- Buy smartphones only from trusted retailers
- Immediately install mobile security software after purchase
- Avoid installing third-party APKs or apps from unknown sources
Growing Trend of Malware Targeting Crypto
Triada is just one of several malware threats recently discovered targeting the crypto space. In late March, Threat Fabric warned of Crocodilus, a new Android malware that overlays fake prompts to steal users’ seed phrases. Meanwhile, Microsoft reported a remote access trojan (RAT) targeting over 20 browser-based crypto wallets through Google Chrome extensions.
As crypto adoption grows, so does the sophistication of the attacks. Experts urge consumers to treat their mobile devices like financial vaults, especially when storing or managing digital assets.
