Cybersecurity firm Kaspersky Labs has revealed that over 2,600 cryptocurrency attacks have been linked to low-cost Android smartphones that are pre-installed with malware. These devices come preloaded with malicious software, specifically a version of the Triada Trojan, which allows attackers to gain almost complete control over the device.
According to Dmitry Kalinin, a cybersecurity expert at Kaspersky, once the Trojan is active, it enables the attackers to steal cryptocurrency by swapping wallet addresses. “The authors of this new version of Triada are actively profiting from their malware,” Kalinin said.
“Through transaction analysis, we’ve tracked around $270,000 in various cryptocurrencies transferred to their wallets.” He also noted that the actual amount could be higher, especially since the attackers targeted Monero, a cryptocurrency known for being untraceable.
The Triada Trojan also poses other threats, such as stealing user account credentials and intercepting messages, including two-factor authentication codes. It even infiltrates the phone’s firmware before the device reaches the user, meaning some online sellers may unknowingly be distributing infected phones. “At some point in the supply chain, the devices are compromised,” Kalinin explained, “so sellers might not realize they’re offering smartphones infected with Triada.”
Kaspersky’s research shows that the majority of the infections have been reported in Russia, with more than 2,600 cases confirmed across various countries in early 2025. The Triada Trojan, which first appeared in 2016, is notorious for targeting financial and messaging apps like WhatsApp, Facebook, and Gmail, often through phishing campaigns or malicious downloads. Kalinin highlighted that it remains one of the most dangerous and sophisticated threats to Android users.
Kaspersky has advised only purchasing phones from trusted sources and installing security measures immediately upon receiving the device to avoid falling victim to such attacks.
