Hackers Selling Counterfeit Android Phones With Crypto-Stealing Malware: Kaspersky

That cheap smartphone may look like a stem – and that could be, but not the way you hoped.

Cheap falsification telephones are now sold with malware that focuses on unsuspecting Android users – CryptocurrencyReplacing telephone numbers during calls and hijacking their social media accounts.

CyberSecurity Company Kaspersky reported The new technology for spreading the dangerous Triada Trojan in a recent analysis. Since he was discovery In 2016, Triada evolved into one of the most complex and dangerous Android threats because it can infiltrate every process on the smartphones.

In his latest iteration, hackers have deeply implanted the malware in the system framework of counterfeit martphones, making it extremely difficult to detect and remove.

“The supply chain is probably compromised in one of the phases, so stores cannot even suspect that they are selling smartphones with Triada,” said Dmitry Kalinin, a cyber security expert at Kaspersky Lab.

Between 13 and 27 March 2025, more than 2,600 users came across the Trojan, with the malware attackers “almost unlimited control” about their smartphones, according to the report.

The malware can steal user references from messages such as Telegram and Tiktok, Crypto wallet addresses and even hijack the communication of the victim by sending messages on their behalf.

As Kaspersky notes, this is probably just the tip of the iceberg, because the attackers continue to exploit these devices for financial gain.

What is the Triada Trojan?

Triada first originated in 2016 and has since become one of the most advanced threats for mobile malwares on Android users.

The modular Trojan gets carrot access to infected devices, so that the malignant code can inject into system processes such as Zygote, which controls the launch of all apps on Android.

This makes Triada extremely difficult to detect, because it largely works in the ram of the device and often hides for conventional security controls.

The latest report said that Triada also monitors the web browser’s activity, replaces the left and can interfere with anti-fraud systems by blocking network connections.

One of the most disturbing functions of Triada is the ability to silence from telephone numbers during calls, so that the attacker can intercept sensitive conversations.

The rising threat of mobile malware

The revival of Triada follows the recent rise of other mobile malware strains, such as Crocodilus, which are specifically aimed at crypto users.

Crocodilus uses Social Engineering tactics to steal wallets of seed sentences by presenting themselves as legitimate apps.

Once installed, it can control the infected device remotely, allowing cyber criminals to transfer sensitive data.

Kaspersky recommends to keep devices updated, install trusted antivirus software and avoid apps from unknown sources to protect against these threats.