How Crypto Hackers Use the Triada Trojan: A Hidden Threat to Android Smartphones and Cryptocurrency Owners in 2025

Crypto hackers are increasingly infecting counterfeit Android smartphones with malware, pre-installing it during the manufacturing or assembly of the devices, which poses serious risks to users, especially cryptocurrency owners, according to recent research and reports from leading cybersecurity companies, including Kaspersky Lab and other industry organizations.

Kaspersky Lab says thousands of counterfeit Android phones sold online at discounted prices are pre-installed with malware — a modified version of the Triada Trojan. The virus embeds itself in the device’s system framework, infecting every process, giving attackers virtually unlimited control over the smartphone 3 4 6 .

Cybersecurity expert Dmitry Kalinin from Kaspersky emphasizes that the Trojan has many possibilities for theft. The main threat is the theft of cryptocurrency by replacing crypto wallet addresses, as well as the theft of user credentials, including logins to messengers and social networks with the possible interception of two-factor authentication by intercepting SMS messages 3 6 .

According to transaction analysis, the attackers, using the new version of Triada, have already managed to transfer about $270,000 in various cryptocurrencies to their crypto wallets, including Monero, a currency that is virtually impossible to track, which significantly complicates the fight against cybercriminals 3 .

The Triada Trojan was first identified in 2016 and traditionally targets financial apps and messengers like WhatsApp, Facebook and Gmail. However, the new version is significantly more dangerous and technically complex, as it is pre-installed in the firmware of smartphones – that is, the malware is part of the device’s software before it reaches the user. This makes it difficult to detect and combat the infection 4 6 .

Infection occurs already at the supply chain stage – in the production process or when reprogramming equipment. This means that even online sellers may not suspect the presence of malware in smartphones that are then sold to end customers. In Russia, cases of infected smartphones are being recorded more and more often, especially in the first quarter of 2025 – about 2,600 cases have already been confirmed in many countries 3 1 .

To protect against such a threat, Kaspersky Lab experts recommend purchasing mobile devices only from official and trusted distributors, and installing antivirus and other security software immediately after purchase. This helps reduce the risks from Trojans already built into the firmware and prevent them from giving full control over the device 3 1 .

In addition to Triada, experts are also recording the emergence of new cyber threats targeting cryptocurrency users. For example, researchers at Threat Fabric reported on the Crocodilus malware, which uses fake overlays to trick Android users into providing private crypto phrases needed to access wallets 3 . Earlier in March 2025, Microsoft identified a new remote access trojan (RAT) aimed at stealing funds from 20 cryptocurrency wallet extensions for the Google Chrome browser, indicating an expansion of the range of attacks on crypto assets 3 .

Thus, the situation with malware in counterfeit and unofficial Android devices poses a serious threat to the security of users, especially cryptocurrency owners, as it allows cybercriminals to steal funds and personal data while remaining undetected for a long time.

Key facts and details:

The Triada Trojan is built into the firmware of counterfeit Android smartphones, allowing it to infect every running process and control the device almost completely 4 .
Attackers use a Trojan to steal cryptocurrency by replacing wallet addresses and stealing credentials from instant messengers and social networks, including Telegram and TikTok 3 6 .
The hackers’ estimated profit from these attacks is at least $270,000, transferred in various cryptocurrencies, including the hard-to-trace Monero 3 .
Devices with malware are sold at reduced prices on online platforms, often from unknown sources, exacerbating the problem 1 .
Experts advise buying gadgets only from official sellers and immediately installing antivirus programs to minimize risks 3 1 .
In addition to Triada, new malware programs are emerging that focus on stealing crypto data, such as Crocodilus and Chrome browser extension trojans that can steal cryptocurrency directly 3 .
The problem of Trojan horses spreading through the smartphone supply chain and firmware highlights the need for greater quality control of devices and software 3 .

These findings highlight the need for Android device owners to be especially careful when purchasing and using smartphones, especially if they plan to use cryptocurrency wallets. Using only trusted sources of purchase and reliable data protection tools is key to security in the current environment of growing cyber threats.

Why the Triada Trojan is Considered One of the Most Dangerous Threats to Android Devices

The Triada Trojan is considered one of the most dangerous threats to Android devices for several key reasons:

Deep system integration: Triada injects itself into the Zygote parent process, which is the template for launching all Android applications. This means that the Trojan becomes part of every running program, giving it the ability to infect and control any application on the device 1 7 .
Modular architecture and stealth: Triada consists of multiple modules that can be dynamically loaded and perform various malicious actions, from stealing data to sending hidden messages. The Trojan hides its components from system lists by placing them in protected system folders, and thanks to the superuser (root) rights it has obtained, it is almost impossible to remove or detect 1 7 8 .
Almost unlimited control over the device: An infected device under Triada’s control allows cybercriminals to steal cryptocurrency, modify crypto wallet addresses, intercept SMS messages, including two-factor authentication, hijack accounts in social networks and messengers (Telegram, TikTok, etc.), as well as change the contents of browsers or send messages on behalf of the user 1 3 5 .
Pre-installed in firmware: The latest version of the Trojan is even pre-installed in the system partitions of the firmware of counterfeit Android smartphones before the user even buys the device. This makes it difficult to detect and destroy, since the Trojan is present at the system level and is restored after removal attempts 1 4 6 .
Financial Damage: Research suggests that attackers using Triada have already stolen hundreds of thousands of dollars in cryptocurrency, including the hard-to-trace Monero, demonstrating the seriousness of the threat to users 1 5 6 .
Evolution and Adaptability: Despite Android vulnerability patches and security tightening, Triada adapts to restrictions, skillfully bypassing them and refining its attack methods 1 7 .

Ultimately, the combination of technical sophistication, deep integration, extensive control capabilities and stealth makes the Triada Trojan one of the most dangerous and sophisticated cyber threats in the Android ecosystem 1 5 7 .

Why is it so difficult to detect Triada on infected devices?

The high difficulty of detecting the Triada Trojan on infected Android devices is explained by the following key reasons:

Integration at the system firmware level: Triada is pre-installed in the system sections of the smartphone firmware before the device reaches the user. This means that the Trojan is embedded deep into the operating system and restarts with it, making it virtually impossible to remove using standard methods 4 6 .
Injection into the Zygote process: Triada infects the Zygote process, the parent process for all Android apps. This allows the Trojan to inject itself into all running apps and perform malicious actions unnoticed by the user and most security tools 1 6 .
Modular architecture and stealth: The Trojan consists of several modules that can be dynamically loaded and change their functionality. Malicious components are hidden in system folders and protected from removal and detection. This also complicates the work of antivirus programs and makes it difficult to detect the virus 1 4 .
Obtaining root privileges: Triada exploits vulnerabilities to obtain superuser (root) privileges, which gives it full control over the device, the ability to hide from system tools and prevent its removal 1 .
Supply chain infection: Since the Trojan is introduced at the manufacturing or firmware level, even device sellers may not be aware of the infection, and users receive the infected device as clean, which eliminates early detection and warning of users 2 5 6 .

Together, these features make Triada resistant to detection and removal, allowing it to hide on the device for a long time and effectively control its operation without suspicion from the user and frequent Android security systems.

Thus, deep system integration, use of root rights, modularity and infection at the production stage make the Triada Trojan one of the most difficult to detect malware on Android 1 4 6 .

How Triada’s Embedding into System Processes Increases Its Danger to Android

The introduction of the Triada Trojan into Android system processes significantly increases its danger for the following reasons:

Triada injects itself into the Zygote process, which is the parent process for all Android apps and is responsible for launching and initializing each app. As the Trojan becomes part of Zygote, it is automatically copied into all running apps, gaining control over them from the moment they start. This gives Triada the ability to silently affect the operation of any app on the device, including popular instant messengers and financial apps 1 2 3 5 .
This deep integration at the system process level allows Triada to launch additional malware modules, download and decrypt components for data theft, message interception, cryptocurrency theft, phishing and other cyberattacks. It can filter messages, intercept two-factor authentication and covertly control the device, remaining invisible to most security tools 1 2 3 .
Since the Trojan is built into system libraries and is located in the firmware section, Triada cannot be removed using standard tools. It is restored when the system is restarted, which significantly complicates detection and destruction 1 3 5 .
Triada’s modular architecture allows it to adapt to specific applications, change its behavior, and expand its functionality, making it extremely flexible and resilient to security measures 3 5 .
Ultimately, the introduction of Triada into system processes guarantees it maximum survivability and control over the device, allowing attackers to gain almost unlimited access to the smartphone’s data and functions without the user’s knowledge 2 3 5 .

Thus, it is the integration of the Trojan into the key Android system process – Zygote – and its embeddedness in the system firmware that makes Triada one of the most dangerous and difficult to detect and remove threats on the Android platform.

How Triada’s Deep Integration Impacts Long-Term Security of Android Devices

The deep integration of the Triada Trojan into Android system processes has a serious negative impact on the long-term security of devices for the following reasons:

Persistent system invasion: Triada is pre-installed in the system partitions of the firmware and is embedded in the key Zygote process from which all applications are launched. This means that the Trojan becomes part of every process on the device, providing constant and continuous control over the entire system. This integration makes it virtually invulnerable to conventional removal and protection methods.
Virtually unlimited control: Built into the system framework, the Trojan gains superuser (root) rights, which allows it to covertly perform any operations – intercept and modify incoming and outgoing messages, steal cryptocurrency, manage applications and network connections. Such depth of control significantly reduces user security in the long term.
Recovering from removal attempts: Since the Trojan is embedded in the firmware, standard antiviruses or resetting the device to factory settings are unable to completely destroy it. Triada automatically recovers every time the system is restarted, which ensures long-term infection and exploitation of the device by attackers.
Difficulty in detection and diagnostics: Deep integration and modular structure of the attacker allow to hide malicious components in system folders and bypass protection tools. This leads to a long period of undetected control over the device, which increases the risk of serious data leaks and financial losses.
Infection at the manufacturing and supply chain stage: Malware is embedded into the firmware at the manufacturing stage of counterfeit or compromised devices, meaning that the user receives an infected smartphone “out of the box” with no visible signs of a threat. This significantly complicates infection prevention and requires increased attention to the choice of supplier.

Thus, Triada’s deep integration into Android’s system components ensures a persistent, hidden and nearly indestructible presence of malware on the device, significantly undermining its long-term security and putting owners at risk of constant cyberattacks.

These findings are based on an analysis of the latest research from Kaspersky Lab and other cybersecurity organizations, which confirm that Triada remains one of the most dangerous and persistent threats to Android smartphones in 2025 1 2 3 4 .

Sources of information: 1 , 2 , 3 , 5 .