A new version of Triada spreads embedded in the firmware of Android devices
Essential information
- Published
- 25/04/2025 16:43
- Modified
- 25/04/2025 21:12
- Tags
- 2025-04-25 android credential-theft cryptocurrency firmware reverse proxy sms interception triada trojan
- Related entities
- 1 intrusion sets (apt), 3 techniques (mitre), 1 malware, 5 others
Description
Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the device. The Trojan's modular architecture allows attackers to deliver targeted payloads for stealing cryptocurrency, credentials, and other sensitive data from popular apps like WhatsApp, Facebook, and banking apps. It can also intercept SMS messages, make calls, and act as a reverse proxy. Over 4,500 infected devices have been detected worldwide, with the highest numbers in Russia, UK, Netherlands, Germany and Brazil. The attackers have stolen over $264,000 in cryptocurrency so far.