Counterfeit Android phones preloaded with crypto-stealing malware

Cybersecurity firm Kaspersky has uncovered a widespread scam involving counterfeit Android smartphones preloaded with malware designed to steal cryptocurrency and sensitive user data.

The devices, sold at discounted prices online, are embedded with a version of the Triada Trojan, granting attackers extensive control over infected phones.

Triada, first discovered in 2016, operates stealthily by infiltrating the system framework and infecting every process on the device.

This latest variant allows hackers to hijack cryptocurrency transactions by replacing wallet addresses, intercept and delete SMS messages, and steal account information from messaging apps like WhatsApp and Telegram.

Dmitry Kalinin, a cybersecurity expert at Kaspersky, revealed that attackers have already transferred approximately $270,000 in cryptocurrencies to their wallets, though the actual amount may be higher due to the involvement of untraceable cryptocurrencies like Monero (CRYPTO:XMR).

The malware is embedded into the smartphone firmware before reaching consumers, suggesting a compromise in the supply chain.

Kalinin noted that even online sellers may unknowingly distribute these compromised devices. “Probably, at one of the stages, the supply chain is compromised,” he said.

Kaspersky has identified 2,600 confirmed infections across multiple countries, with Russia accounting for most cases in early 2025.

Other affected regions include Brazil, Kazakhstan, Germany, and Indonesia.

The firm advises users to purchase devices only from authorised distributors and install security solutions immediately after purchase to mitigate risks.

Triada’s persistence highlights its complexity as one of the most dangerous threats to Android devices.

Its ability to operate undetected makes it challenging to remove without reflashing the device’s ROM.

Experts recommend using clean system images or trusted third-party ROMs like LineageOS for compromised devices.

This discovery adds to growing concerns about malware targeting cryptocurrency users.

Other recent threats include SparkCat malware embedded in apps on Google Play and Apple’s App Store, as well as new Android malware exploiting accessibility services to steal crypto wallet keys.