Thought Leadership
Security researchers from Kaspersky have discovered a particularly sophisticated variant of the Triada Trojan on imitation Android smartphones. More than 2,600 users worldwide, including in Germany, are affected.
These devices, which are presumably sold via unauthorized dealers, already contain the malware in the system firmware. As a result, it remains undetected and gives attackers extensive control over the device.
Malware deeply integrated in the system
Unlike traditional Android malware, which usually enters the device through infected apps, this Triada variant is integrated directly into the system framework. As a result, it infects every running process and can carry out a wide range of malicious activities, including:
- Theft of login data for social media and messenger accounts (e.g. TikTok, Instagram, Facebook, Telegram)
- Manipulation of messages in apps such as WhatsApp and Telegram
- Redirecting cryptocurrency transactions by changing wallet addresses
- Falsification of caller IDs to redirect telephone calls
- Monitoring of browser activity and insertion of manipulated links
- Manipulation of SMS messages (interception, sending, deletion)
- Activation of chargeable premium SMS services
- Installation and execution of further malware
- Blocking network connections to bypass security mechanisms
Dmitry Kalinin, malware analyst at Kaspersky Threat Research, warns of the threat:
“The Triada Trojan has emerged as one of the most advanced threats in the Android ecosystem. This new version infiltrates the device at the firmware level before it even reaches the user, indicating a compromised supply chain. According to the analysis of the open sources, the attackers have already smuggled at least 270,000 US dollars of stolen cryptocurrency into their wallets. The actual amount could be even higher due to the use of untraceable crypto coins such as Monero.”
Triada: A constantly evolving threat
Triada was discovered back in 2016 and has continued to evolve since then. The malware specifically uses system privileges to go unnoticed. The current wave of infections shows a new dimension of danger: the attackers are apparently compromising supply chains in order to put infected smartphones into circulation ex works. This is a worrying development and illustrates how cybercriminals are increasingly exploiting security vulnerabilities throughout the supply chain.
