A new variant of the Triada Trojan has been discovered infiltrating Android smartphones through counterfeit firmware, enabling attackers to hijack Telegram accounts, manipulate cryptocurrency wallets, and intercept communications. With over 2,600 confirmed infections, this article reveals critical protection strategies and technical insights from Kaspersky Lab.

​1. Infection Vectors: Counterfeit Firmware Distribution

The Triada Trojan spreads via unauthorized online stores selling devices preloaded with compromised firmware. Attackers exploit:

• ​Gray-market Devices: Smartphones with modified OS versions claiming “enhanced performance.”
• ​Supply Chain Vulnerabilities: Retailers unknowingly distributing infected units, particularly mid-range models priced under $300.

​2. Technical Capabilities of Triada 2025 Variant

This iteration demonstrates unprecedented stealth and control:

• ​Cross-Process Injection: Infiltrates all running apps to harvest Telegram session keys and TikTok login credentials.
• ​Network Manipulation: Blocks security updates while redirecting traffic to phishing servers mimicking Google Play.
• ​Call Hijacking: Alters phone numbers during VoIP calls to bypass SMS-based 2FA systems.

​3. Telegram Account Takeover Mechanics

The Trojan employs three-stage attacks against Telegram:

1. ​Session File Theft: Extracts /data/data/org.telegram.messenger/shared_prefs/userconfig.xml containing auth tokens.
2. ​Bot API Exploitation: Uses Telegram’s API to remotely send messages and delete chat histories.
3. ​Real-time Surveillance: Activates cameras/microphones during video calls via accessibility service exploits.

​4. Protective Measures Recommended by Experts

Kaspersky Lab advises:

• ​Firmware Verification: Check SHA-256 hashes against OEM databases before device activation.
• ​App Whitelisting: Restrict installations to vetted stores like Google Play Protect-certified platforms.
• ​Behavior Monitoring: Use tools like Kaspersky Internet Security to detect abnormal network traffic patterns.

​5. Case Study: $1.2M Cryptocurrency Heist

In March 2025, attackers used Triada-infected devices to:

• Drain Binance and Coinbase wallets via session hijacking.
• Manipulate Telegram-based trading bots to execute unauthorized transactions.
• Conceal traces by deleting security alert emails through IMAP exploits.

The Triada Trojan’s evolution underscores critical gaps in Android’s firmware ecosystem. Users must prioritize device sourcing from authorized vendors and implement multi-layered security protocols to safeguard sensitive communications on Telegram and other platforms.