Thousands of counterfeit Android smartphones being sold online at bargain prices are preloaded with sophisticated malware capable of stealing cryptocurrency and sensitive data, cybersecurity firm Kaspersky Labs revealed in an April 1 report.
The malware, a dangerous variant of the Triada Trojan, is embedded directly into the firmware of these devices, giving attackers nearly unrestricted access to the phone’s system. This allows them to hijack financial apps, intercept messages—including two-factor authentication codes—and secretly reroute cryptocurrency transactions by altering copied wallet addresses.
Dmitry Kalinin, a cybersecurity expert at Kaspersky, explained the severity of the threat: “This version of Triada grants attackers almost unlimited control. By analyzing crypto transactions, we estimate they’ve already stolen around $270,000 in various cryptocurrencies—but the actual figure could be much higher, especially since they’re also targeting untraceable coins like Monero.”
What makes this attack especially alarming is that the phones come infected straight out of the box. According to Kalinin, the compromise likely occurs somewhere along the supply chain, meaning some sellers may be unaware they’re offering tainted devices.
Kaspersky has so far identified over 2,600 infected phones across multiple countries, with the majority of reports coming from Russia during the first quarter of 2025. While Triada has been around since 2016, this latest resurgence shows how persistent and adaptive the threat remains.
Known for targeting popular apps like WhatsApp, Gmail, and Facebook, Triada is typically spread through malicious downloads and phishing. However, its presence in preinstalled firmware marks a new level of danger and complexity.
To stay safe, Kaspersky advises consumers to purchase smartphones only from official or well-known retailers and to install trusted mobile security software immediately after setup.
This discovery comes amid growing concerns in the cybersecurity world. Just weeks earlier, Threat Fabric identified new Android malware designed to trick users into revealing their crypto seed phrases. Microsoft also warned of a remote access trojan targeting 20 crypto wallet browser extensions.
With cybercriminals increasingly focused on crypto theft, experts are urging users to be cautious about where they buy devices—and to stay up to date with security protections.
