Cybersecurity researchers at Kaspersky Labs have discovered thousands of fake Android smartphones being sold online with pre-installed malware that targets cryptocurrency and personal data.
The counterfeit devices, offered at discounted prices, come infected with an advanced version of the Triada Trojan, which gives attackers extensive control over the compromised phones.
According to Dmitry Kalinin, a Kaspersky Labs expert, the malware has already enabled criminals to steal approximately $270,000 in various cryptocurrencies. The actual amount could be higher, as the attackers also targeted Monero, an untraceable cryptocurrency.
The Triada malware's capabilities extend beyond crypto theft. It can intercept text messages, including two-factor authentication codes, and steal user account credentials. The malware embeds itself in the device's firmware before reaching consumers, making it extremely difficult to detect and remove.
"The supply chain appears compromised at some point, meaning retailers may be unaware they are selling infected devices," explained Kalinin.
Kaspersky's investigation revealed 2,600 confirmed infections across multiple countries, with Russia seeing the highest number of cases in early 2025. The Triada Trojan, first identified in 2016, is known for targeting financial and messaging applications like WhatsApp, Facebook, and Google Mail.
To protect against this threat, Kaspersky recommends purchasing phones only from authorized dealers and installing security software immediately after purchase.
This discovery highlights the growing sophistication of crypto-targeting malware and the risks associated with buying discounted electronics from unauthorized sellers.