A cybersecurity company has reported the discovery of numerous counterfeit Android smartphones available for purchase online, which are preloaded with malware intended to steal cryptocurrency and other sensitive information.
These Android devices are offered at discounted rates and are infected with a version of the Triada Trojan, which compromises every process on the device, granting attackers “nearly unlimited control,” as stated in an April 1 announcement.
According to a cybersecurity specialist, once the trojan infiltrates a device, it allows hackers to pilfer cryptocurrency by altering wallet addresses.
“The developers of the enhanced Triada are actively profiting from their creations; analysis of their transactions suggests they have transferred approximately $270,000 worth of various cryptocurrencies to their wallets,” he remarked.
“However, the actual amount could be higher, as the attackers are also going after Monero, a cryptocurrency known for its anonymity.”
In addition to stealing user account details, the trojan can intercept both incoming and outgoing messages, including those used for two-factor authentication. It can infiltrate smartphone firmware even before the device reaches the end user, with some online vendors potentially unaware of the hidden threat within the phones, the expert noted.
“It is likely that the supply chain has been compromised at some stage, meaning retailers may not even realize they are selling devices infected with Triada,” he explained.
At this point, researchers report that they have identified 2,600 confirmed cases of infections linked to this scheme across various countries, with most of the affected users located in Russia during the first quarter of 2025.
The Triada malware, first identified in 2016, is notorious for targeting financial and messaging applications like WhatsApp, Facebook, and Google Mail. It is typically delivered through malicious downloads and phishing efforts, as highlighted by another cybersecurity firm.
“The Triada Trojan has been recognized for quite some time, and it continues to be one of the most sophisticated and hazardous threats to Android devices,” the expert stated.
To avoid becoming a victim of this scam, it is advised to purchase devices only from authorized distributors and to install security solutions immediately upon acquisition.
Other cybersecurity firms have also raised concerns about emerging types of malware aimed at cryptocurrency users.
A recent report outlined the detection of a new form of malware capable of creating a deceptive overlay that tricks Android users into revealing their cryptocurrency seed phrases while it takes control of their devices.
Additionally, a tech giant announced that it uncovered a new remote access trojan (RAT) designed to attack cryptocurrency stored in 20 wallet extensions for the Google Chrome browser.