New Android Trojan Discovered: Stealing Cryptocurrency, Accounts, and Manipulating Caller IDs

Experts from Kaspersky Lab have identified a new version of the Triada Trojan. This malware has been found embedded in the firmware of new Android smartphones that bear a resemblance to popular models. These devices are being sold at reduced prices in unauthorized online stores. So far, 2,600 users, primarily in Russia, have encountered this new variant of Triada.

The Trojan is integrated into the Android system framework, meaning that it activates with every process on the device. It boasts extensive capabilities, allowing cybercriminals full control over the infected smartphone. The malware can:

— Steal accounts from messaging apps and social networks, including Telegram and TikTok;
— Send messages on behalf of the user in WhatsApp and Telegram, and subsequently delete them;
— Steal cryptocurrency by altering wallet addresses;
— Monitor browser activities and manipulate links;
— Change phone numbers during calls;
— Intercept, send, and delete SMS messages;
— Allow the sending of premium SMS messages for a fee;
— Download and execute additional malware;
— Disrupt network connections, hindering protective systems.

Triada is implanted into smartphones before they are even purchased. Experts indicate that the infection occurs during one of the distribution stages, which sellers may be unaware of. The malware is actively utilized for financial gain. Transaction analysis suggests that its creators have transferred $270,000 in cryptocurrency to their wallets, a portion of which may have been acquired through Monero — an untraceable cryptocurrency. Kaspersky’s solutions classify this version of the Trojan as Backdoor.AndroidOS.Triada.z.

Kaspersky Lab experts caution that pre-installed malware remains a significant threat. In the first three months of 2025, thousands of users in Russia encountered such malicious software.