Kaspersky discovers improved version of Android Trojan Triada, warns of devastating effects
Kaspersky is displayed on a screen in Moscow on June 16, 2023. (AA Photo)
Russian cybersecurity company Kaspersky Lab has discovered a new and improved version of the Android Trojan Triada, a type of malware pre-installed on fake Android smartphones that are allegedly sold through unauthorized retailers.
According to the company, the malware, which is embedded in the system software, operates undetected, giving attackers full control over infected devices.
More than 2,600 users worldwide have been affected.
Unlike typical mobile malware that spreads through malicious apps, this Triada variant integrates into the system framework and infiltrates every running process, allowing it to perform a wide range of malicious activities.
The company listed them as follows: hijacking messaging and social media accounts including Telegram, TikTok, Facebook and Instagram; sending and deleting messages on apps like WhatsApp and Telegram; changing crypto wallet addresses; redirecting phone calls by impersonating caller IDs; monitoring browser activity and injecting links; intercepting, sending and deleting SMS messages; enabling premium SMS charges; downloading and executing additional payloads; and potentially blocking network connections to bypass fraud prevention systems.
First discovered in 2016 by Kaspersky
Kaspersky solutions detected this variant as Backdoor.AndroidOS.Triada.z. First discovered in 2016, Triada has steadily evolved to exploit system-level privileges, hijack SMS verifications and evade detection. This latest campaign marks a worrying escalation, as attackers are likely exploiting supply chain vulnerabilities to inject malware into fake devices at the firmware level.
Dmitry Kalinin, a malware analyst from the Kaspersky Threat Research Team, whose views were included in the statement, said the Triada Trojan has become one of the most advanced threats to the Android ecosystem.
Kalinin, who said this new version works at the firmware level by infiltrating the device directly during the production phase before it reaches the user, noted that this situation indicates a security gap in the supply chain.
According to analysis from open sources, the attackers transferred at least $270,000 in stolen cryptocurrencies to their own wallets, he said.
However, the real total is likely to be higher due to the use of cryptocurrencies that are difficult to track such as Monero, Kalinin added.
