The excitement surrounding cryptocurrency has not only excited investors but also attracted digital robbery as a unique branch of work. A recent report from Kaspersky cybersecurity solutions has revealed malware infection risks that are even scarier: theft-friendly substandard smartphones available in bulk with viruses installed.
The Threat: Malware-Infected Phones Target Crypto Users
Kaspersky‘s report describes a threat from the new and evolved scope of targeting Android users. Troia of Triada has been deep-seated in the frameworks of fake cell phones and drowned in them. Diligent actions can lead to autonomous funding pulls on the user’s account. These merciless actions can be aimed at people without their understanding.
Evolving Risks: Challenges with Android Users
Triada is not a new threat. It has been around since 2016 and is one of the most complex and dangerous malware families attached to Android phones. Gaining root access on an infected unit opens ports for injection into mischievous codes and critical system processes like controlling apps launched on the Android market. The deep pathway-based addiction makes breaking through counter-petty barriers.
Compromised Supply Chains: A Hidden Danger
Kaspersky’s findings suggest a disturbing possibility: that malware is implanted in the phones somewhere along the supply chain, perhaps even before the devices are delivered to customers. “Most likely at one of the levels over the supply chain, it gets compromised, and thus even stores cannot have an idea that they are retailing smartphones that have Triada in them,” stated Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab. Which implies that even purchasing the phone from a renowned store does not guarantee that the phone is secure.
Widespread Impact: Thousands of Users Affected
Per the Kaspersky report, between March 13 and March 27, 2025, more than 2600 users came across the Triada trojan. This is definitely an underestimation, to say the least, because the number of infections is far greater due to the malware’s cunning design, which makes it difficult to scope. The malware gives the Triada hackers ‘virtually unrestricted dominion’ over crippled smartphones, which empowers them to perform a myriad of reprehensible tasks.
Stealing Credentials and Hijacking Transactions: Triada’s Arsenal
Triada‘s capabilities extend beyond the theft of cryptocurrencies. Granting access to further mercenary acts such as
The theft of user credentials from Telegram and TikTok enables the user to compose communication messages for their targets without their authority and steal their identity.
Change the addresses of cryptocurrency wallets and covertly reroute the transactions to wallets under the control of an attacker. This is a particularly critical risk, due to users often not understanding that funds will be redirected to a different destination.
Seize the victim’s communication to send messages on their behalf, which will allow for the propagation of malware and the conduct of social engineering schemes.
A Multi-Stage Stealth and Persistent Attack
ReversingLabs Scientists performed a deep technical analysis on the malware, where they revealed that it was designed for a multistage stealth and persistent attack.
- Infection Trigger: This occurs when a user downloads bad npm software, specifically the pdf-to-office. These packages often appear legitimate, concealing malicious code.
- Scope: The parasite picks wallet applications on the infected device.
- Scope: The parasite targets ASAR packs of Electron applications. The parasite then decompresses ZAM files containing programmes with malicious code.
- Scope: The parasite retrieves specific JS system folders of wallet programmes, usually vendor folders.
- Scope: It gets encoded to Base64, where disguised recipient wallet addresses get swapped to ones controlled by the attacker. The malware alters code, asking for control of the transaction.
Communication with Command-and-Control Server: Upon successfully infecting the device, the malware sends a message to the command-and-control server, relaying details such as the user’s home directory path alongside other pertinent status messages. This infection tracking enables attackers to monitor infections in real time while gaining further insights regarding the compromised systems.
A Growing Threat: The Need for Enhanced Security
The recurrence of the Triada trojan, along with the birth of other mobile malware like Crocodilus, illustrates the growing concern of sophisticated mobile malware targeted at cryptocurrency users. This highlights the necessity for safeguarding measures, not just from device manufacturers and app developers, but also individual users themselves, in order to avert financial and privacy losses in this modern world.
