Ethical Hacking News
A recent report from Kaspersky has revealed that a modified version of the Triada malware, a modular Android malware family, has been preloaded on counterfeit Android phones sold at reduced prices. Over 2,600 users in different countries have encountered the new version of Triada, with most infections recorded between March 13 and 27, 2025. The malware has the capability to steal sensitive information, hijack clipboard content, monitor web browser activity, and conduct overlay attacks. The emergence of an updated version of Triada follows a recent surge in Android banking trojans and other malicious activities targeting users worldwide.
The Triada malware has been found on counterfeit Android phones sold at reduced prices. Over 2,600 users in different countries were affected by the infections between March 13 and 27, 2025. The malware can steal sensitive information, hijack clipboard content, monitor web browser activity, and intercept SMS messages. The new version of Triada was found in the system framework, granting attackers unfettered access and control. The malware is distributed via WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vector. Similar threats include Crocodilus and TsarBot Android banking trojans and Salvador Stealer Android malware strain.
THN Exclusive: A recent report from Kaspersky has revealed that a modified version of the Triada malware, a modular Android malware family, has been preloaded on counterfeit Android phones sold at reduced prices. The infections were recorded between March 13 and 27, 2025, with over 2,600 users in different countries affected.
The Triada Trojan is known for its ability to steal sensitive information, including user accounts associated with instant messengers and social networks, as well as hijacking clipboard content with cryptocurrency wallet addresses. It also has the capability to monitor web browser activity, replace phone numbers during calls, intercept SMS messages, download other programs, block network connections, and conduct overlay attacks to siphon banking credentials and credit card details.
According to Kaspersky, the new version of Triada was found in the system framework, allowing it to be copied to every process on the smartphone and granting attackers unfettered access and control. The malware is distributed via WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vector, following previous campaigns that leveraged intermediate apps published on the Google Play Store.
The emergence of an updated version of Triada follows the discovery of two different Android banking trojans called Crocodilus and TsarBot, which also target over 750 banking, financial, and cryptocurrency applications. Both malware families distribute via dropper apps impersonating legitimate Google services and abuse Android's accessibility services to remotely control infected devices.
The disclosure comes as ANY.RUN detailed a new Android malware strain dubbed Salvador Stealer that masquerades as a banking application catering to Indian users (package name: "com.indusvalley.appinstall") and is capable of harvesting sensitive user information. The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android.
The recent outbreak highlights the ongoing issue of counterfeit phones being preloaded with malware, as seen in previous cases involving Cosiloon adware. According to Kaspersky researcher Dmitry Kalinin, "Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada."
The authors of the new version of Triada are actively monetizing their efforts, having transferred about $270,000 in various cryptocurrencies to their crypto wallets between June 13, 2024, and March 27, 2025.
The situation underscores the importance of vigilance and robust cybersecurity measures for Android users. As the threat landscape continues to evolve, it is essential for consumers to remain informed and take steps to protect themselves against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Threat-Triada-Trojan-Infects-2600-Devices-Through-Counterfeit-Phones-ehn.shtml
https://thehackernews.com/2025/04/triada-malware-preloaded-on-counterfeit.html
https://cybersecuritynews.com/tsarbot-android-malware-mimics/
https://www.msn.com/en-us/news/technology/shocking-new-android-trojan-tsarbot-targets-750-banking-and-crypto-apps/ar-AA1Ccfe4
https://en.wikipedia.org/wiki/Lazarus_Group
https://attack.mitre.org/groups/G0032/
Published: Thu Apr 3 03:52:13 2025 by llama3.2 3B Q4_K_M
