Triada Trojan Evolves: Pre-Installed Android Malware Now Embedded in Device Firmware
Ddos 
In a newly released report, Kaspersky Labs warns of an alarming evolution in the Triada Trojan, a notorious Android malware that has adapted to exploit the latest protections in the mobile ecosystem. Researchers have uncovered that the newest versions of Triada are now being pre-installed into the firmware of counterfeit Android devices — making them nearly impossible to remove without a full system reinstallation.
“We discovered new versions of the Triada Trojan on devices whose firmware was infected even before they were available for sale,” Kaspersky reported. “These were imitations of popular smartphone brands, and they remained available from various online marketplaces at the time of our research.”
Initially exploiting root vulnerabilities in older Android versions, Triada adapted as manufacturers hardened their systems. Today, attackers bypass operating system restrictions entirely by embedding malicious components within the system partition, infecting the very heart of the device at the Zygote process level — the parent of all Android applications.
“Attackers are now embedding a sophisticated multi-stage loader directly into device firmware. This allows the Trojan to infect the Zygote process, thereby compromising every application running on the system,“ Kaspersky stated.
Through this method, Triada gains sweeping control, loading malicious payloads into any app launched by the user.
Triada’s modular design enables tailored attacks depending on the app targeted. According to Kaspersky’s findings:
- Cryptocurrency theft: Triada modifies clipboard data and interface elements, swapping wallet addresses during transfers to steal funds.
- Account hijacking: It steals login credentials and session tokens for Telegram, Instagram, WhatsApp, Facebook, and more.
- Browser manipulation: It intercepts and replaces links clicked in browsers like Chrome and Firefox, opening the door to phishing attacks.
- SMS and call interception: It hijacks SMS messages to steal verification codes or register unauthorized services.
- Device hijacking: It turns infected devices into reverse proxies, enabling attackers to route malicious traffic through victim devices.
“The modular architecture of the malware gives attackers virtually unlimited control over the system, enabling them to tailor functionality to specific applications,” Kaspersky explained.
The infection is initiated via a malicious system library (binder.so) embedded into the device’s framework. From there, the malware carefully selects modules to deploy based on the running application’s package name. For instance:
- Cryptocurrency apps like Binance and KuCoin are targeted by crypto stealers.
- Messaging apps like Telegram and WhatsApp are infected with modules that harvest login tokens and hijack conversations.
- Browsers are targeted to inject and swap malicious links.
Notably, the malware dynamically communicates with C2 servers, using strong encryption (AES-128, RSA) to download additional modules tailored for specific applications.
“Each additional malware payload can use all the permissions available to the app,” Kaspersky highlights, making privilege escalation unnecessary once Triada infiltrates an app’s process.
The scale of the operation is significant. Kaspersky telemetry detected over 4,500 infected devices worldwide, with high infection rates reported in Russia, the UK, Germany, the Netherlands, and Brazil. Cryptocurrency analysis indicated that the attackers have accumulated over $264,000 by June 2025 via their malicious activities.
Perhaps the most concerning revelation is the attack vector. Infected devices were often counterfeit products posing as popular brands, distributed unknowingly through online marketplaces: “It is likely that a stage in the supply chain was compromised, with the vendors in online stores possibly being unaware that they were distributing fake devices infected with Triada.”
This underscores the critical need for consumers to buy devices from trusted sources and verify firmware authenticity.
If your device is suspected to be infected with Triada, Kaspersky advises:
- Install clean firmware directly from official sources.
- Avoid using messaging apps, crypto wallets, or social media clients before reinstalling firmware.
- Use reputable mobile security solutions to detect embedded threats.
“The new version of the Triada Trojan is a multi-stage backdoor giving attackers unlimited control over a victim’s device,” Kaspersky concluded.
Donate