|

Hackers are selling counterfeit phones with crypto-stealing malware

Cybersecurity firm Kaspersky says it has uncovered thousands of counterfeit Android smartphones sold online with preinstalled malware designed to steal crypto and other sensitive data. 

The Android devices are sold at reduced prices, cybersecurity firm Kaspersky Labs said in an April 1 statement, but are riddled with a version of the Triada Trojan that infects every process and gives the attackers “almost unlimited control” over the device. 

Dmitry Kalinin, a cybersecurity expert at Kaspersky Labs, said that once the trojan grants the attackers access to devices, they can steal crypto by replacing wallet addresses. 

“The authors of the new version of Triada are actively monetizing their efforts; judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets,” he said. 

“However, in reality, this amount may be larger; the attackers also targeted Monero, a cryptocurrency that is untraceable.”

Among the trojan’s other capabilities are stealing user account information and intercepting incoming and outgoing texts, including two-factor authentication. 

The trojan penetrates smartphone firmware even before the phone reaches users, and some online sellers might not even be aware of the ticking time bomb in the device, according to Kalinin.

“Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada,” he said. 

At this stage, Kaspersky researchers say they have found 2,600 confirmed infections through this scam in different countries, with the majority of users in Russia encountering it in the first three months of 2025.

Chart

The Android devices are sold at reduced prices but are riddled with malware. Source: Hovatek

The Triada malware first surfaced in 2016 and is known for targeting financial applications and messaging apps like WhatsApp, Facebook and Google Mail, according to cybersecurity firm Darktrace. It is generally delivered through malicious downloads and phishing campaigns. 

“The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android,” Kalinin said. 

The best way to avoid falling victim to this scam is to only purchase devices from legitimate distributors and install security solutions immediately after purchase, according to Kaspersky Labs. 

Other firms have also been raising the alarm over new forms of malware targeting crypto users. 

Cybersecurity firm Threat Fabric said in a March 28 report it found a new family of malware that can launch a fake overlay to trick Android users into providing their crypto seed phrases as it takes over the device.

On March 18, tech giant Microsoft said it found a new remote access trojan (RAT) that targets crypto held in 20 wallet extensions for the Google Chrome browser. 

Author

Cointelegraph Team

Cointelegraph Team

Cointelegraph

We are privileged enough to work with the best and brightest in Bitcoin.

More from Cointelegraph Team
Share:

Editor's Picks

XRP extends decline as muted on-chain activity, bearish technicals weigh

Ripple (XRP) continues to trade under heavy selling, trading below $1.10 at the time of writing on Wednesday. The remittance token marks four consecutive days of declines, weighed down by geopolitical tensions and significantly low risk appetite.

Crypto Today: Bitcoin, Ethereum, XRP extend technical weakness amid escalating tensions in the Middle East

Cryptocurrencies are broadly extending declines on Wednesday, after last week’s recovery. The sell-off has seen Bitcoin (BTC) slide below $62,000, increasing downside risks toward the next key support at $60,000.

Solana nears key support zone as bears aim for a 20% downside

Solana price is down 3% on Wednesday, extending a bearish reversal after an overhead trendline capped the previous week’s recovery. Institutional inflows eased to $1.67 million on Tuesday, while declining Open Interest and fluctuating funding rates indicate mixed retail demand.

Hyperliquid extends losses as retail demand fades

Hyperliquid (HYPE) slips below $70 on Wednesday, extending a steady decline so far this week. A broader market risk-off sentiment weighs down on the retail support for HYPE despite steady institutional demand, with $4.32 million in inflows on Tuesday.

Bitcoin: Quarter-end rebalancing might fuel BTC next bullish move
Bitcoin (BTC) is up over 3% so far this week, trading above $61,800 at the time of writing on Friday after slipping to a 21-month low earlier this week. Institutional selling continued, with spot Exchange Traded Funds (ETFs) recording net outflows of over $520 million through Thursday, pointing to the eighth consecutive week of withdrawals.