Hackers Preloading Counterfeit Android Phones With Crypto-Stealing Malware: Kaspersky

That low smartphone does look like a steal—and it could well be, but not in the manner you were hoping.

Low false devices are now being sold preloaded with malware that targets innocent Android users —stealing bitcoin, replacing telephone numbers during names, and hijacking their social media accounts.

Security company Kaspersky reported the book method for spreading the dangerous Triada trojans in a new research. Since its breakthrough in 2016, Triada has evolved into one of the most complex and dangerous Android challenges as it is able to penetrate every operation on the cellphones.

In its latest incarnation, hackers have deeply implanted the ransomware in the structure construction of false smartphones, making it extremely difficult to find and replace.

” Perhaps, at one of the levels, the supply network is compromised, thus businesses may not even think that they are selling phones with Triada”, said Dmitry Kalinin, a security expert at Kaspersky Lab.

Between March 13 and 27, 2025, over 2, 600 people encountered the Trojan, with the ransomware giving intruders “almost endless control” over their phones, according to the document.

The malware is take customer credentials from messaging apps like Telegram and TikTok, replace crypto budget addresses, and even sabotage the defendant’s communications by sending messages on their behalf.

As Kaspersky notes, this is likely just the tip of the iceberg, as the attackers continue to exploit these devices for financial gain.

What is the Triada trojan?

Triada first emerged in 2016 and has since become one of the most sophisticated mobile malware threats targeting Android users.

The modular Trojan gains root access to infected devices, allowing it to inject malicious code into system processes like Zygote, which controls the launch of all apps on Android.

This makes Triada extremely hard to detect, as it operates largely in the device’s RAM and often hides from conventional security checks.

The latest report said Triada also monitors web browser activity, replaces links, and can interfere with anti-fraud systems by blocking network connections.

One of Triada’s most disturbing features is its ability to silently change phone numbers during calls, enabling the attacker to intercept sensitive conversations.

The rising threat of mobile malware

Triada’s resurgence follows the recent emergence of other mobile malware strains, such as Crocodilus, which specifically targets crypto users.

Crocodilus uses social engineering tactics to steal wallet seed phrases by masquerading as legitimate apps.

Once installed, it can remotely control the infected device, allowing cybercriminals to siphon off sensitive data.

Kaspersky recommends keeping devices updated, installing trusted antivirus software, and avoiding apps from unknown sources to safeguard against these threats.