Proprietary 2024-06-13 · 316 days ·Backdoor, Rootkit, Credential Theft, Cryptocurrency Theft, Sms Abuse, Proxy

Counterfeit Android firmware shipped Triada.z

Kaspersky disclosed a 2025 Triada wave embedded in counterfeit Android smartphone firmware before sale.

Story

Kaspersky found fake smartphones sold through online marketplaces with Triada.z embedded in firmware. The firmware fingerprints differed from official firmware by a single final letter. The devices were counterfeit and already infected when sold.

The infected boot-framework.oat caused a malicious native library, binder.so, to load into Zygote, the parent process for Android applications. From there, Triada placed modules into every launched app process and could tailor behavior to the active package.

The payload set was broad. Kaspersky documented modules for Telegram, Instagram, browsers, WhatsApp, LINE, Skype, TikTok, Facebook, SMS, calls, reverse proxying, and cryptocurrency theft. The crypto module could replace wallet addresses and QR codes, while messaging modules stole tokens, filtered verification messages, and hid traces.

This is modeled as a separate attack from the earlier Android Triada firmware cases because the distribution evidence is different. The 2025 reporting points to counterfeit devices from online marketplaces, over 4,500 Kaspersky detections from March 13 to April 15, and attacker wallets holding more than $264,000 traced to the campaign since June 13, 2024.

Affected Artifacts

Counterfeit Android firmware with Triada.z

· Firmware

Observed: 2024-06-13 to 2025-04-25
Compromised Versions: Unknown
Fixed: Not listed
Hashes: md5:f468a29f836d2bba7a2b1a638c5bebf0

md5:89c3475be8dba92f4ee7de0d981603c1

md5:fce117a9d7c8c73e5f56bda7437bdb28

+1 more
Evidence: mirror: securelist.com/triada-trojan-modules-analysis/116380, mirror: bazaar.abuse.ch/browse.php, mirror: raw.githubusercontent.com/adrdotocet/ott/main/api.json, mirror: raw.githubusercontent.com/adrdotocet2/ott/main/api.json , +12 more

Kaspersky telemetry detected more than 4,500 infected devices worldwide between March 13 and April 15, 2025; the actual count may be higher because of the distribution method.
Open-source wallet analysis found more than $264,000 in cryptocurrency stolen into attacker-controlled wallets since June 13, 2024.
The highest detection counts reported by Kaspersky were in Russia, the United Kingdom, the Netherlands, Germany, and Brazil.

Incident Context

Motive: Financial Gain Credential Theft Account Takeover
Cause: Counterfeit Firmware Compromise
Transitive: No
User Impact: 4500

External References

Triada strikes backsecurelist.com
Trojan embedded in fake Android smartphoneskaspersky.com

Source record: proprietary/android_triada/meta.yaml