Counterfeit Android phones are hiding pre-installed malware that can infect every system process

In a nutshell: It should go without saying that buying a very cheap, obviously counterfeit Android handset is a bad idea. Not only will you likely run into a slew of technical problems, but it could also contain pre-installed malware that infects virtually every process carried out by the handset.

Kaspersky researchers have discovered a new strain of the Triada Trojan preinstalled on thousands of new very cheap Android devices – counterfeit versions of popular models. The modular remote access trojan (RAT), first identified in 2016, can steal sensitive data and crypto while performing other malicious actions.

The malware is embedded in an infected phone's firmware, operating without detection and granting attackers full control over a device.

The list of malicious actions the new strain of Triada can perform is an extensive one. It is able to send and delete messages in WhatsApp, Telegram, and other messaging apps to impersonate users, hijack social media accounts, replace crypto wallet addresses in apps to steal the virtual currency, and track browsing activity and even swap links.

Triada can also monitor, intercept, send, and delete SMS messages, send premium SMS texts to receive paid services, download and run other programs on an infected device, and block network connections to interfere with the operation of anti-fraud systems.

Dmitry Kalinin, an expert on cybersecurity at Kaspersky Lab, said the new version of Triada is likely being installed in the counterfeit phones during one of the early stages of the supply chain, so the stores selling the devices may not realize anything is amiss. There's always the chance that some vendors knew about the malware and were benefiting financially by spreading it, of course.

Kalinin adds that the authors of Triada have already used the malware to transfer about $270,000 in different cryptocurrencies from victims' crypto wallets to their own, though the actual amount may be higher as the attackers also stole Monero, a cryptocurrency that cannot be traced.

Over 2,600 people across multiple countries encountered the new version of Triada between March 13 and 27, 2025, with most of the cases reported in Russia.

Kaspersky says its mobile anti-virus software can detect Triada, though the company's products are banned in the US over its ties to Russia.