Hackers are selling counterfeit phones with crypto-stealing malware
Cybersecurity firm Kaspersky says it has uncovered thousands of counterfeit Android smartphones sold online with preinstalled malware designed to steal crypto and other sensitive data. The Android devices are sold at red...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
Cybersecurity firm Kaspersky says it has uncovered thousands of counterfeit Android smartphones sold online with preinstalled malware designed to steal crypto and other sensitive data.
The Android devices are sold at reduced prices, cybersecurity firm Kaspersky Labs said in an April 1 statement, but are riddled with a version of the Triada Trojan that infects every process and gives the attackers “almost unlimited control” over the device.
Dmitry Kalinin, a cybersecurity expert at Kaspersky Labs, said that once the trojan grants the attackers access to devices, they can steal crypto by replacing wallet addresses.
“The authors of the new version of Triada are actively monetizing their efforts; judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets,” he said.
“However, in reality, this amount may be larger; the attackers also targeted Monero, a cryptocurrency that is untraceable.”Among the trojan’s other capabilities are stealing user account information and intercepting incoming and outgoing texts, including two-factor authentication.
The trojan penetrates smartphone firmware even before the phone reaches users, and some online sellers might not even be aware of the ticking time bomb in the device, according to Kalinin.
“Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada,” he said.
At this stage, Kaspersky researchers say they have found 2,600 confirmed infections through this scam in different countries, with the majority of users in Russia encountering it in the first three months of 2025.
The Android devices are sold at reduced prices but are riddled with malware. Source: Hovatek
The Triada malware first surfaced in 2016 and is known for targeting financial applications and messaging apps like WhatsApp, Facebook and Google Mail, according to cybersecurity firm Darktrace. It is generally delivered through malicious downloads and phishing campaigns.
“The Triada Trojan has been known for a long time, and it still remains one of the most complex and dangerous threats to Android,” Kalinin said.
The best way to avoid falling victim to this scam is to only purchase devices from legitimate distributors and install security solutions immediately after purchase, according to Kaspersky Labs.
Other firms have also been raising the alarm over new forms of malware targeting crypto users.
Related: Crypto exploit, scam losses drop to $28.8M in March after February spike
Cybersecurity firm Threat Fabric said in a March 28 report it found a new family of malware that can launch a fake overlay to trick Android users into providing their crypto seed phrases as it takes over the device.
On March 18, tech giant Microsoft said it found a new remote access trojan (RAT) that targets crypto held in 20 wallet extensions for the Google Chrome browser.
Magazine: Mystery celeb memecoin scam factory, HK firm dumps Bitcoin: Asia Express
Why this matters
This cryptocurrency story adds another data point to the current market tape and is useful when read alongside nearby source coverage.
Original source
Read on CointelegraphRelated market context
Florida man arrested for stealing $220K in crypto via Steam malware scheme
A 21-year-old Florida man was arrested for allegedly stealing $220K in crypto by embedding malware in Steam games, infecting 8,000...
Across Protocol confirms Solana bridge attack, says user funds are safe
Across Protocol confirmed an attack on its Solana bridge deployment, disabling deposits while assuring users their funds remain sa...
MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
A macOS malware steals credentials to hijack Telegram sessions, decrypt cryptocurrency wallets or trick users into entering their...
Three UK men jailed for £4M crypto scam using fake police websites, says Met Police
Three UK men sentenced to up to 6 years in prison for a 4 million crypto fraud scheme where they impersonated police officers usin...
Three signs the US economy is on firmer footing, and what it means for crypto
US GDP growth hit 2.1% in Q1 2026, consumer spending climbed 0.7%, and recession odds fell to 25%. Here's what it means for crypto...
Dutch crypto exchange collapses exposing customer balances’ true value amid multi-million-euro hole
Dutch crypto exchange Knaken's operating company and its affiliated payments foundation entered court-controlled bankruptcy on Jul...