Hackers are selling counterfeit phones with crypto-stealing malware

Cybersecurity firm Kaspersky says it has uncovered thousands of counterfeit Android smartphones sold online with preinstalled malware designed to steal crypto and other sensitive data. 

The Android devices are sold at reduced prices, cybersecurity firm Kaspersky Labs said in an April 1 statement, but are riddled with a version of the Triada Trojan that infects every process and gives the attackers “almost unlimited control” over the device. 

Dmitry Kalinin, a cybersecurity expert at Kaspersky Labs, said that once the trojan grants the attackers access to devices, they can steal crypto by replacing wallet addresses. 

“The authors of the new version of Triada are actively monetizing their efforts; judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets,” he said. 

“However, in reality, this amount may be larger; the attackers also targeted Monero, a cryptocurrency that is untraceable.”

Among the trojan’s other capabilities are stealing user account information and intercepting incoming and outgoing texts, including two-factor authentication. 

The trojan penetrates smartphone firmware even before the phone reaches users, and some online sellers might not even be aware of the ticking time bomb in the device, according to Kalinin.

“Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada,” he said. 

At this stage, Kaspersky researchers say they have found 2,600 confirmed infections through this scam in different countries, with the majority of users in Russia encountering it in the first three months of 2025.

The Android devices are sold at reduced prices but are riddled with malware. Source: Hovatek

The Triada malware first surfaced in 2016 and is known for targeting financial applications and messaging apps like WhatsApp, Facebook and Google Mail, according to cybersecurity firm Darktrace. It is generally delivered through malicious downloads and phishing campaigns. 

“The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android,” Kalinin said. 

The best way to avoid falling victim to this scam is to only purchase devices from legitimate distributors and install security solutions immediately after purchase, according to Kaspersky Labs. 

Other firms have also been raising the alarm over new forms of malware targeting crypto users. 

Cybersecurity firm Threat Fabric said in a March 28 report it found a new family of malware that can launch a fake overlay to trick Android users into providing their crypto seed phrases as it takes over the device.

On March 18, tech giant Microsoft said it found a new remote access trojan (RAT) that targets crypto held in 20 wallet extensions for the Google Chrome browser.