Jakarta, INTI – Android devices are now facing a serious new threat—not from suspicious apps, but from deep within the system itself. The latest version of the sophisticated Triada Trojan has been discovered embedded directly into the firmware of counterfeit smartphones sold through unauthorized retailers. Shockingly, this malware is active even before the device is used by the consumer.
Cybersecurity firm Kaspersky has identified this new variant as Backdoor.AndroidOS.Triada.z. Because it is integrated directly into the system firmware, the malware cannot be detected through standard security methods and gives attackers full remote control over infected devices.
More Than 2,600 Victims Worldwide, Indonesia Among the Targets
This version of Triada has already infected over 2,600 users globally, with the highest number of victims reported in Russia, Brazil, Kazakhstan, Germany, and Indonesia. The fact that the malware infiltrates devices before reaching users indicates a supply chain compromise, likely during the manufacturing or distribution stages.
For many users, these devices appear to function normally—until personal data is silently stolen in the background.
Triada’s Expanding Capabilities
Triada is not your average mobile malware. It embeds itself into the Android operating system and attaches to every running process, allowing it to steal account credentials from popular messaging and social media apps such as Telegram, TikTok, Facebook, and Instagram. It can also read, delete, and send messages on behalf of the user in apps like WhatsApp and Telegram.
Even more dangerously, the malware can replace cryptocurrency wallet addresses to steal digital assets, intercept and redirect phone calls, inject malicious links into browser sessions, and trigger premium SMS services to inflate users’ bills. It can even block internet access to avoid detection and security updates.
Years of Evolution Behind a Sophisticated Attack
Kaspersky malware analyst Dmitry Kalinin explains that this latest Triada variant is one of the most advanced threats in the Android ecosystem. "The fact that the infection happens at the firmware level before the device even reaches the user points to a serious supply chain compromise," he said.
Open-source analysis revealed that attackers have funneled at least $270,000 (around IDR 4.5 billion) in stolen cryptocurrency to their wallets. The true amount could be much higher, as some transactions were made using untraceable digital currencies like Monero.
First discovered in 2016, Triada has evolved significantly over the years—becoming more resilient and elusive, leveraging system-level privileges to bypass authentication processes and stay hidden from antivirus programs.
How to Protect Yourself from This "Factory Trojan"
Given the complexity and stealth of this malware, the most critical step users can take is to buy smartphones only from trusted and authorized retailers. Tempting offers from unofficial sellers could cost far more in the long run than the money saved.
Additionally, users are encouraged to enable robust security features, regularly update their system and apps, and watch for suspicious activity on their devices.
Conclusion: Think Twice Before Buying Cheap Android Devices
The latest Triada Trojan highlights a dangerous shift in cyberattacks—where a device can be compromised before it's even powered on. This underscores how far cybercriminals are willing to go, infiltrating the very supply chains that deliver devices into users' hands.
In today's digital age, awareness is no longer optional. Protecting yourself means being cautious about where and how you buy your tech. Security starts not just with your password, but with the device itself.