Cyber security specialists have discovered a new sophisticated version of the Trojan Trojan, pre-installed on counterfeit Android smartphones, which allows cryptocurrency theft, calling calls and taking accounts on social networks.
Triada can redirect calls and take accounts on social networks
The sophisticated version of the Trojan Triad is pre-installed on counterfeit Android smartphones, apparently sold through unauthorized distributors, say Kaspersky experts. Integrated directly into the system firmware, the malware acts undetected and offers complete control attackers over infected devices.
Over 2,600 users worldwide have been affected. Most cases have been registered in Brazil, Kazakhstan, Germany, Indonesia and Russian Federation.
Unlike the usual mobile malware, which is delivered by applications, this variant of the Trojan Triad is directly integrated into the system, infiltrating into each active process. This approach allows him to carry out a wide range of malicious activities including:
• Theft of messaging accounts and social networks such as Telegram, Tiktok, Facebook and Instagram
• Sending and deleting messages in applications such as WhatsApp and Telegram
• Replacing wallet addresses for cryptocurrencies with those of attackers
• Redirection of phone calls by falsifying the caller ID
• Monitoring of activity in browser and injection of malicious links
• Interception, sending and deleting SMS
• Activating taxes via premium SMS without user consent
• Downloading and running additional malware files
• blocking network connections to avoid anti-fraud systems
Kaspersky solutions detect this variant under the name of backdoor.androidos.triada.z.
Initially discovered in 2016, the triad has constantly evolved, exploiting privileges at the system level to commit fraud, intercepting SMS authentication and avoiding detection. This last campaign marks a worrying climbing, as the attackers seem to take advantage of vulnerabilities in the supply chain to install malware at Android firmware level.
