Hackers Selling Counterfeit Phones With Crypto-Stealing Malware Worldwide

by
Hackers Selling Counterfeit Phones With Crypto-Stealing Malware Worldwide

Cybercriminals are taking advantage of unsuspecting buyers by selling counterfeit Android smartphones preloaded with crypto-stealing malware. According to cybersecurity firm Kaspersky Labs, thousands of compromised devices have been found in circulation, with hackers using a variant of the notorious Triada Trojan to gain complete control over victims’ phones.

Hackers Selling Counterfeit Phones With Crypto-Stealing Malware Worldwide

The preinstalled malware allows attackers to steal cryptocurrencies, intercept two-factor authentication (2FA) messages, and replace wallet addresses to reroute funds. Kaspersky’s research has identified 2,600 confirmed infections globally, with the majority of cases reported in Russia within the first three months of 2025.

The criminals behind this scheme have reportedly managed to steal over $270,000 in cryptocurrencies, including Bitcoin, Ethereum, and Monero. However, cybersecurity experts warn that the actual financial damage could be much higher, given the untraceable nature of some digital assets.

How Counterfeit Phones Are Used for Crypto Theft

The Triada Trojan, a well-documented Android malware, was first discovered in 2016. It is known for targeting financial applications and messaging services like WhatsApp, Facebook, and Gmail. Unlike other types of malware that require user interaction (such as clicking a malicious link), the Triada Trojan is embedded into the phone’s firmware before it reaches the buyer.

How the Attack Works:

  1. Compromised Supply Chains:
    • Hackers infiltrate the manufacturing or distribution process, embedding Triada into counterfeit phones before they are shipped.
    • Unsuspecting online sellers may unknowingly distribute infected devices.
  2. Trojan Activation:
    • Once the phone is powered on, Triada immediately runs in the background, gaining root access to the device.
    • The malware integrates into system processes, making it almost impossible to detect and remove.
  3. Crypto Theft and Data Hijacking:
    • The malware intercepts crypto transactions, replacing wallet addresses with those controlled by hackers.
    • It steals login credentials, bank account details, and other sensitive data.
    • Attackers can also monitor incoming text messages, including 2FA security codes, giving them full control over accounts.
  4. Financial Gains for Hackers:
    • Cybercriminals monetize their efforts by draining funds from compromised wallets.
    • Transactions using privacy-focused cryptocurrencies like Monero make it difficult to trace stolen funds.

Also Read: Microsoft Warns of Hackers Using Device Code Phishing to Steal Emails

Confirmed Infections and Global Spread of the Scam

Kaspersky’s Findings on the Crypto-Stealing Malware:

  • 2,600 confirmed cases of infection have been reported across multiple countries.
  • Russia has been the most affected region, with many victims purchasing cheap Android phones online.
  • The malware remains undetected for months, causing cumulative financial losses.

While Russia has seen the highest number of infections, cybersecurity researchers warn that these compromised devices may be distributed worldwide through third-party sellers, black markets, and unauthorized online retailers.

Kaspersky Expert’s Warning:

Dmitry Kalinin, a leading cybersecurity researcher at Kaspersky Labs, stated:

“Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada.”

This means that some sellers unknowingly participate in distributing infected devices, making it even more difficult for authorities to track down the perpetrators.

Also Read: Unveils World-First UK AI Security Standard to Protect Technology : 13 Principles

The Evolution of the Triada Trojan and Its Capabilities

The Triada Trojan is considered one of the most advanced and persistent threats to Android devices. Initially discovered in 2016, it has evolved significantly, integrating with system processes to bypass security protections.

Key Features of the Triada Trojan:

  • Stealth Mode: Runs in the background, avoiding detection by most antivirus software.
  • Root Access Exploitation: Gains full control over Android’s core system, allowing hackers to manipulate all functions.
  • Financial Fraud: Targets banking apps, crypto wallets, and payment platforms.
  • Data Theft: Extracts user credentials, contacts, and private messages.
  • Persistence: Unlike standard malware, Triada cannot be removed by resetting the device.

Cybersecurity firm Darktrace has also highlighted that Triada is often distributed through phishing attacks and malicious downloads, further spreading its reach beyond preinstalled malware.

How to Protect Yourself from Crypto-Stealing Malware

Given the increasing sophistication of malware threats, users must take proactive security measures to avoid falling victim to counterfeit Android phones.

Safety Tips to Avoid Compromised Devices:

  1. Purchase from Authorized Sellers:
    • Avoid buying discounted smartphones from unknown online marketplaces.
    • Stick to official retailers and certified distributors.
  2. Verify Device Authenticity:
    • Check the IMEI number and compare it with official records.
    • Look for unusual system behavior after setting up a new phone.
  3. Install Mobile Security Software:
    • Use trusted antivirus solutions like Kaspersky, Norton, or Bitdefender.
    • Regularly scan for unusual background activities.
  4. Monitor Crypto Transactions Carefully:
    • Double-check wallet addresses before sending funds.
    • Enable multi-layer security on crypto wallets.
  5. Avoid Downloading Unverified Apps:
    • Install apps only from Google Play Store or verified sources.
    • Beware of fake financial and banking apps.
  6. Perform Factory Reset and Flash the Firmware:
    • If you suspect a device is infected, consider reinstalling the operating system using official firmware.

Also Read: How AI Fuels Teen Hackers and Redefines Modern Cybercrime in 2025

FAQs

1. How do hackers install malware on counterfeit phones?

Hackers infiltrate the supply chain, embedding malware in phone firmware before they are sold.

2. What is the Triada Trojan, and how does it work?

Triada is an advanced Android malware that gains root access, allowing hackers to steal sensitive data and crypto assets.

3. How much money have hackers stolen using this malware?

According to Kaspersky, cybercriminals have stolen at least $270,000, but the actual figure may be much higher.

4. Why is Monero a preferred cryptocurrency for hackers?

Monero offers privacy-focused transactions, making it hard to trace stolen funds.

5. How can I check if my phone is infected?

Unusual battery drain, high data usage, and unauthorized transactions may indicate malware infection.

6. Can resetting my phone remove the Triada Trojan?

No, Triada integrates into the system firmware, making it impossible to remove with a factory reset.

7. Where are most of the infected phones being sold?

Most infections have been reported in Russia, but counterfeit devices are sold globally.

8. How can I protect my crypto from such attacks?

Use hardware wallets, two-factor authentication, and verified apps to secure your assets.

9. Is this type of attack new?

No, but cybercriminals are constantly evolving their methods to exploit unsuspecting users.

10. What should I do if I suspect my phone is infected?

Stop using it immediately, scan for malware, and consider flashing official firmware.

Leave a Comment

© TechyNerd

Privacy Policy Terms of Service Disclaimer