{"id":53331,"date":"2025-04-25T09:03:09","date_gmt":"2025-04-25T13:03:09","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53331"},"modified":"2025-04-25T09:03:09","modified_gmt":"2025-04-25T13:03:09","slug":"trojan-in-fake-smartphones","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/trojan-in-fake-smartphones\/53331\/","title":{"rendered":"Trojan embedded in fake Android smartphones"},"content":{"rendered":"

The familiar checkout ritual at the supermarket: once everything\u2019s been scanned \u2014 the offer, delivered with a hopeful smile: \u201cChocolate bar for the road? It\u2019s a good one, and the discount is almost criminal\u201d. If you\u2019re lucky, you get a delicious bonus at a great price. But more often than not they\u2019re trying to sell you something that\u2019s not selling well: either it\u2019s about to expire or it has some other hidden flaw.<\/p>\n

Now, imagine you declined that chocolate bar, but it was secretly slipped into your bag anyway, or even worse, into your pocket, where it melted and ruined your clothes, spoiling your day. Well, something similar happened to those who bought knock-offs of popular smartphone brands from online marketplaces. No, they didn\u2019t get a chocolate bar. They walked away with a brand-new smartphone that had the Triada Trojan embedded in its firmware. This is much worse than melted chocolate. Their crypto balances, along with their Telegram, WhatsApp, and social media accounts, could be gone before they could utter \u201cbargain!\u201d. Someone could steal their text messages and a lot more.<\/p>\n

Triada? What Triada?<\/h2>\n

That\u2019s the name we at Kaspersky gave to the Trojan we first discovered and described in detail<\/a> in 2016. This mobile malware would infiltrate almost every process running on a device, while residing only in the RAM.<\/p>\n

The emergence of Triada spelled a new era in the evolution of mobile threats targeting Android. Before Triada, Trojans were relatively harmless \u2014 mainly displaying ads and downloading other Trojans. This new threat showed that things would never be the same again.<\/p>\n

With time, Android developers fixed the vulnerabilities that early versions of Triada exploited. Recent Android versions restricted even users with root privileges from editing system partitions. Did this stop the cybercriminals? What do you think?!..<\/p>\n

Fast-forward to March 2025, and we discovered an adapted version of Triada that takes advantage of the new restrictions. The threat actor infects the firmware even before the smartphones are sold. Pre-installed in system partitions, the malware proves nearly impossible to remove.<\/p>\n

What is this new version capable of?<\/h2>\n

Our Android security solution<\/a> detects the new version of Triada as Backdoor.AndroidOS.Triada.z<\/strong>. This new version is what\u2019s embedded in the firmware of fake Android smartphones available from online marketplaces. It can attack any<\/em> application running on the device. This gives the Trojan virtually unlimited capabilities. It can control text messages and calls, steal crypto, download and run other applications, replace links in browsers, surreptitiously send messages in chat apps on your behalf, and hijack social media accounts.<\/p>\n

A copy of Triada infiltrates every app launched on an infected device. Besides that, the Trojan includes specialized modules that target popular apps. As soon as the user downloads a legitimate app like Telegram or TikTok, the Trojan embeds itself in it and starts causing harm.<\/p>\n

Telegram. <\/strong>Triada downloads two modules to compromise Telegram. The first one initiates malicious activity once a day, connecting to a command-and-control (C2) server. It sends the victim\u2019s phone number to the criminals, along with complete authentication data \u2014 including the access token. The second module filters all messages, interacting with a bot (which didn\u2019t exist at the time of our research), and deleting notifications about new Telegram logins.<\/p>\n

Instagram.<\/strong> Once a day, the Trojan runs a malicious task to search for active session cookies and forward the data to the attackers. These files help the criminals assume full control over the account.<\/p>\n

Browsers. <\/strong>Triada threatens a number of browsers: Chrome, Opera, Mozilla, and some others. The full list is available in the Securelist article<\/a>. The module connects to the C2 server over TCP and randomly redirects legitimate links in the browsers to advertising sites for now. However, because the Trojan downloads redirect links from its C2 server, attackers can direct users to phishing sites at any time.<\/p>\n

WhatsApp.<\/strong> Again, there are two modules. The first one collects and sends data about the active session to the C2 server every five minutes \u2014 giving the attackers full access to the victim\u2019s account. The second one intercepts the client functions for sending and receiving messages, which allows the malware to send and then delete arbitrary instant messages to cover its tracks.<\/p>\n

LINE.<\/strong> The dedicated Triada module collects internal app data, including authentication data (access token), every 30 seconds, and forwards it the C2 server. In this case, too, someone else assumes full control of the user\u2019s account.<\/p>\n

Skype.<\/strong> Although Skype is about to be retired<\/a>, Triada still has a module for infecting it. Triada uses several methods to obtain the authentication token and then sends it to the C2 server.<\/p>\n

TikTok. <\/strong>This module can collect a lot of data about the victim\u2019s account from cookie files in the internal directory, and also extract data required for communicating with the TikTok API.<\/p>\n

Facebook. <\/strong>Triada is armed with two modules for this app. One of them steals authentication cookies, and the other sends information about the infected device to the C2 server.<\/p>\n

Of course, there are also modules for SMS and calls<\/strong>. The first SMS module<\/strong> allows the malware to filter all incoming messages and extract codes from them, respond to some messages\u00a0(likely to subscribe victims to paid services) and send arbitrary SMS messages when instructed by the C2 server. The second, auxiliary module disables the built-in Android protection against SMS Trojans that requests user permission before sending messages to short codes (Premium SMS), which could be used to confirm paid subscriptions.<\/p>\n

The call module<\/strong> embeds itself in the phone app, but it\u2019s most likely still under development. We discovered that it partially implements phone number spoofing \u2014 something we expect to be completed soon.<\/p>\n

Another module, a reverse proxy<\/strong>, turns the victim\u2019s smartphone into a reverse proxy server, giving attackers access to arbitrary IP addresses on behalf of the victim.<\/p>\n

Not unexpectedly, Triada also targets crypto owners, with a special surprise awaiting them: a clipper<\/strong>. The Trojan watches the clipboard for crypto wallet addresses, substituting one of the attackers\u2019 own. A crypto stealer<\/strong> analyzes the victim\u2019s activity, replacing crypto wallet addresses with a fraudulent addresses anywhere it can, whenever an attempt is made to withdraw cryptocurrency. It even interferes with button tap handlers inside apps and replaces images with generated QR codes that link to the attackers\u2019 wallet addresses. The criminals have managed to steal more than US$264\u00a0000 in various cryptocurrencies since June 13, 2024 with the help of these tools.<\/p>\n

See our Securelist report<\/a> for a full list of Triada features and a detailed technical analysis.<\/p>\n

How the malware infiltrates smartphones.<\/h2>\n

In every infection case that we are aware of, the firmware name on the device differed from the official one by a single letter. For example, the official firmware was TGPMIXM<\/strong>, while the infected phones had TGPMIXN<\/strong>. We found posts on relevant discussion boards where users complained about counterfeit devices purchased from online stores.<\/p>\n

It\u2019s likely that a stage in the supply chain was compromised, while the stores had no idea they were distributing devices infected with Triada. Meanwhile, it\u2019s practically impossible to determine exactly when the malware was placed inside the smartphones.<\/p>\n

How to protect yourself from Triada<\/h2>\n

The new version of the Trojan was found pre-installed on counterfeit devices. Therefore, the best way to avoid Triada infection is to buy smartphones from authorized dealers only. If you suspect that your phone may have been infected with Triada (or another Trojan), here are our recommendations.<\/p>\n