Triada has moved into factory firmware — and is now on the hunt.
Newer versions of Android have significantly strengthened system protections, preventing even superuser-level modifications of system partitions. However, this has led to an unexpected consequence: malware pre-installed in device firmware has become nearly impossible to remove. Cybercriminals quickly exploited this by embedding trojans directly into system applications.
According to a report by Kaspersky Lab, this is exactly how the notorious Triada malware — previously known through the Dwphon loader — has evolved. In March 2025, researchers detected a new version of Triada embedded in the firmware of counterfeit smartphones sold through online marketplaces. The trojan infected the Zygote process — the parent process for all applications on Android — allowing full system compromise.
Triada now uses a sophisticated multi-stage architecture. Its components are injected into every process via a modified system library called binder.so, embedded within the boot-framework.oat file. This library connects to the Zygote process and launches three modules: a helper module, the main backdoor (mms-core.jar), and a module targeting cryptocurrency theft or the installation of additional malware.
The helper module hooks into application processes to facilitate the later loading of malicious functions.
The main backdoor allows the malware to download new malicious modules from command-and-control (C2) servers, tailored based on device characteristics and installed apps.
Special attention is given to attacks on cryptocurrency applications. Malicious modules replace cryptocurrency wallet addresses in text fields and QR codes, intercept clipboard contents, and can install malicious APKs without user consent.
Triada actively targets popular apps like Telegram, WhatsApp, Instagram, various browsers, Skype, LINE, TikTok, and others. For each app, customized malicious modules have been developed to steal session tokens, cookies, user data, and even intercept and delete messages.
- Telegram modules extract user tokens and delete messages based on predefined patterns.
- WhatsApp modules can send messages on behalf of the victim and delete sent data.
- Instagram modules steal cookies for active sessions.
- Browser modules redirect opened links to advertising or phishing websites.
Triada can also turn infected smartphones into proxy servers to relay hacker traffic or secretly send SMS messages to subscribe victims to premium services. In some cases, it modifies premium SMS policies to bypass system restrictions.
Special attention should be given to the Clipper module, which integrates into the Google Play app and checks the clipboard every two seconds for cryptocurrency addresses to replace them with attacker-controlled ones.
An analysis of Triada's C2 servers revealed that attackers stole over $264,000 in cryptocurrency over recent months through address replacement and credential theft. According to telemetry data, over 4,500 devices have been infected, with most cases reported in the UK, Netherlands, Germany, Brazil, and other countries.
Triada shows a high level of technical sophistication; module code includes comments in Chinese, and similarities with the infrastructure of another malware project, Vo1d, suggest a possible connection between the groups.
The spread of infected devices is linked to counterfeit smartphones featuring fake firmware fingerprints. It’s likely that some device suppliers were unaware of the malware’s presence.
To minimize the damage, it is strongly recommended to reflash the device with clean official firmware, avoid using messengers and cryptocurrency apps until the device is cleaned, and install a reliable antivirus solution to prevent similar attacks in the future.
