Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Triada Trojan comes preinstalled on Android devices

A new Triada trojan variant comes preinstalled on Android devices, stealing data on setup, warn researchers from Kaspersky. Kaspersky researchers discovered a new Triada trojan variant preinstalled on thousands of Android devices, enabling data theft upon setup. Kaspersky detected 2,600+ infections in Russia from March 13-27, 2025. The malware was discovered on counterfeit Android devices mimicking […]

Triada

A new Triada trojan variant comes preinstalled on Android devices, stealing data on setup, warn researchers from Kaspersky.

Kaspersky researchers discovered a new Triada trojan variant preinstalled on thousands of Android devices, enabling data theft upon setup. Kaspersky detected 2,600+ infections in Russia from March 13-27, 2025.

The malware was discovered on counterfeit Android devices mimicking popular smartphone models. The researchers speculate that threat actors behind this variant have compromised the supply chain, so stores may not even suspect that they are selling smartphones infected with Triada

“The new version of the malware is distributed in the firmware of infected Android devices. It is located in the system framework. This means that a copy of Triada gets into every process on the smartphone.” reads the report published by Kaspersky. “The malware has broad functionality and gives attackers almost unlimited control over the gadget”

The malware, embedded in the system framework, provides attackers full control over the device. It can steal accounts, send messages, steal crypto, monitor browsing, intercept SMS, and more.

“the authors of the new version of Triada are actively monetizing their efforts. Judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies*** to their crypto wallets.” said Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab. “However, in reality, this amount may be larger; the attackers also targeted Monero, a cryptocurrency that is untraceable.”

To protect against malware, experts recommend buying smartphones from authorized distributors and installing security solutions like Kaspersky for Android immediately.

In March 2018, security researchers at Antivirus firm Dr.Web discovered that 42 models of low-cost Android smartphones were shipped with the Android.Triada.231 banking malware.

The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab who considered it the most advanced mobile threat seen to the date of the discovery.

Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.

The only way to remove the threat is to wipe the smartphone and reinstall the OS.

Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices of several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.

In July 2017, Dr..Web researchers discovered many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

The experts who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)