It has been found that fake versions of popular smartphone models sold at reduced prices Triad.
“More than 2,600 users in different countries have encountered a new version of Triada, most in Russia,” Kaspersky – Note In the report. The infections were recorded between March 13 and 27, 2025.
Triada – This is the name given to the Android modular family that was that was For the first time discovered In the Russian cybersecurity campaign in March 2016. Trojan remote access (rat), it is equipped for theft of a wide range of secret information, as well as engaged devices in botnet for other malicious activities.
While the malicious software was previously observed, spread through intermediate apps published in the Google Play Store (and elsewhere) that it is Obtained root access On compromised phones the following companies used WhatsApp fashions like Fmwhatsapp and Yowhatsapp as a vector of distribution.
Over the years, changed versions of Triada have also found their way into android pills, television boxes and digital projectors as part of a widespread Scheme of fraud called Badbox This uses compromises of the supply network and other markets for initial access.
This behavior was For the first time observed In 2017, when malicious software turned into a pre -installed back frame of Android, which allowed the subjects the threat to remotely control the devices, introduce more malware and use them for various illegal activities.
“Triada infects the images of the device system through the third party during the production process,” Google noted In June 2019, “Sometimes OEM wants to include features that are not included in an open source Android project, such as FACE Unlock. OEM can collaborate with third parties who can develop the right feature and send the whole image of the system for development.”
At this time, the technological giant is also a fingers on the supplier, which went by the name of Ehuo or Blazefir, since the party is probably responsible for the infection returned systemic image with a triad.
The latest samples of malicious programs, analyzed by the Casper, show that they are on a systematic basis, allowing it to copy to each process on a smartphone and giving attackers unobstructed and control to perform various activities –
- Steal users’ accounts related to instant messengers and social networks such as Telegram and Tiktok
- Sardino send WhatsApp messages and Telegram to other contacts on behalf of the victim and delete them to remove traces
- Speech as a clip by grabbing the clipboard with the cryptocurrency wallet addresses to replace their wallet under their control
- Keep track of the web browser’s activity and replace the links
- Replace the phone numbers during calls
- Intercourse SMS -messages and subscribe to the victims at the premium SMS
- Download other programs
- Block network connections to interfere with the normal functioning of the fraud
It is worth noting that Triada is not the only malicious software that is pre -loaded on the Android device at the stages of production. In May 2018 Avast disclosed What several hundred android models, including ZTE and Archos similar, were sent pre -installed by another advertising software called Cosiloon.
“Triad Trojan has been known for a long time, and he still remains one of the most difficult and dangerous threats for Android,” said Dmitry Kalinin researcher, Kaspersky. “Probably, at one stages, the supply chain is broken, so shops may not even suspect that they sell smartphones with Triada.”
“At the same time, the authors of the new version of Triada actively monetize their efforts. Judging by the analysis of transactions, they were able to transfer about $ 270,000 into different cryptocurrencies into their cryptocurrencies (between June 13, 2024 to March 27, 2025).”
The appearance of the updated version of Triada follows Crocodile and ChurchThe latter is aimed at 750 banking, financial and cryptocurrency applications.
Both families are distributed through dropper applications providing Google’s legal services. They also abuse Android accessibility services to remotely control infected devices, as well as conduct overhead attacks on Siphon Banking and credit card data.
The disclosure of information also happens like any. Theft of El Salvador What is masked as a bank application served by Indian users (the package name: “com.indusvalley.appinstall“) and is able to prepare sensitive user information.
