Cybersecurity researchers have uncovered a sophisticated campaign in which threat actors are embedding the infamous Triada Trojan directly into the firmware of Android devices before they reach consumers.
This marks a significant escalation in mobile malware tactics, leveraging supply chain vulnerabilities to deliver an advanced, multi-stage backdoor with virtually unlimited control over infected devices.
Supply Chain Compromises Lead to Pre-Installed Malware on Android Devices
Unlike traditional malware, which relies on exploiting runtime vulnerabilities or tricking users into sideloading malicious apps, the new strains of Triada are installed within the system partition of device firmware at the manufacturing or supply chain level.
By doing so, attackers bypass modern Android security mechanisms that prevent modification of system partitions post-manufacture, making such malware extremely difficult, if not impossible, to detect and remove by end users.
The infection mechanism centers around malicious native libraries (notably binder.so) and a compromised system framework (boot-framework.oat), which are inserted into /system/framework/arm/ or /system/framework/arm64/.
The attack chain begins as the infected firmware loads the malicious library into Zygote-the parent process responsible for launching every Android app.
This initial compromise ensures that a copy of the Trojan is injected into every application that runs, providing the malware authors total control over user data and device operation.
The modular architecture of Triada is a key innovation. Upon execution, the Trojan deploys different payloads based on the target application.
For cryptocurrency apps, it injects a loader module that retrieves configuration data from attacker-controlled GitHub repositories, downloading and activating crypto-stealing payloads that hijack withdrawal transactions, intercept clipboard wallet addresses, and even substitute QR codes in graphical elements.
For messaging and social media apps like Telegram, WhatsApp, LINE, Skype, TikTok, Instagram, and Facebook, purpose-built modules are downloaded on demand to harvest credentials, steal cookies and session tokens, monitor or delete user messages, and exfiltrate sensitive data to command-and-control (C2) servers.
Evolved Triada Trojan Uses System-Level Mechanisms for Persistent Infiltration
The Trojan also leverages auxiliary modules to enable arbitrary code loading and method interception within targeted applications.
Browser-focused payloads hijack and replace links using hooks into application logic, potentially redirecting users to phishing sites or malicious advertisements.
In SMS and telephony, the malware filters and sends messages, overrides premium SMS permissions, and can even act as a reverse proxy, effectively providing attackers with network access through infected devices.
Secure List analysis of the campaign revealed that infected devices are typically counterfeit versions of popular smartphone brands, often sold through online marketplaces.
Firmware fingerprints of these devices differ slightly from official versions, indicating tampering during production or distribution.
Security telemetry has identified over 4,500 infected users globally, with the highest concentrations in Russia, the United Kingdom, Netherlands, Germany, and Brazil.
Open-source intelligence suggests that attackers have stolen over $264,000 in cryptocurrency since mid-2024 via replacement wallet addresses embedded in the malware.
Technically, Triada’s persistence and depth of integration make it especially dangerous.
Because its payloads operate in the context of legitimate app processes (thanks to Zygote-based injection), they inherit all permissions and access rights of their host applications, effectively neutralizing Android’s sandboxing and permission controls.
The campaign is notable for its professional software engineering, including the use of advanced techniques such as AES-128 and RSA encryption for secure communication with C2 servers, reflection and method hooking to bypass app obfuscation, and dynamic payload delivery tailored to individual device environments.
Linguistic and infrastructure analysis suggest a China-based threat group with links to other sophisticated malware campaigns, such as Vo1d.
Given the depth of compromise, remediation is challenging: only re-flashing devices with clean, official firmware can reliably remove the Trojan.
Security experts advise against using affected devices for sensitive transactions and recommend deploying robust endpoint security solutions capable of detecting infected system components.
As attackers shift tactics toward pre-installed threats at the supply chain level, the Triada campaign underscores the critical importance of supply chain security-highlighting the need for rigorous firmware integrity checks before devices are brought to market.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
