That cheap smartphone may look like a steal—and it could well be, but not in the way you were hoping.
Cheap counterfeit phones are now being sold preloaded with malware that targets unsuspecting Android users—stealing cryptocurrency, replacing phone numbers during calls, and hijacking their social media accounts.
Cybersecurity company Kaspersky reported the novel technique for spreading the dangerous Triada trojan in a recent analysis. Since its discovery in 2016, Triada has evolved into one of the most complex and dangerous Android threats as it is able to infiltrate every process on the smartphones.
In its latest iteration, hackers have deeply implanted the malware in the system framework of counterfeit smartphones, making it extremely difficult to detect and remove.
“Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada,” said Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab.
Between March 13 and 27, 2025, over 2,600 users encountered the Trojan, with the malware giving attackers “almost unlimited control” over their smartphones, according to the report.
The malware can steal user credentials from messaging apps like Telegram and TikTok, replace crypto wallet addresses, and even hijack the victim’s communications by sending messages on their behalf.
As Kaspersky notes, this is likely just the tip of the iceberg, as the attackers continue to exploit these devices for financial gain.
What is the Triada trojan?
Triada first emerged in 2016 and has since become one of the most sophisticated mobile malware threats targeting Android users.
The modular Trojan gains root access to infected devices, allowing it to inject malicious code into system processes like Zygote, which controls the launch of all apps on Android.
This makes Triada extremely hard to detect, as it operates largely in the device’s RAM and often hides from conventional security checks.
The latest report said Triada also monitors web browser activity, replaces links, and can interfere with anti-fraud systems by blocking network connections.
One of Triada’s most disturbing features is its ability to silently change phone numbers during calls, enabling the attacker to intercept sensitive conversations.
The rising threat of mobile malware
Triada’s resurgence follows the recent emergence of other mobile malware strains, such as Crocodilus, which specifically targets crypto users.
Crocodilus uses social engineering tactics to steal wallet seed phrases by masquerading as legitimate apps.
Once installed, it can remotely control the infected device, allowing cybercriminals to siphon off sensitive data.
Kaspersky recommends keeping devices updated, installing trusted antivirus software, and avoiding apps from unknown sources to safeguard against these threats.