Insights, news, education and announcements from PolySwarm

Triada Android Trojan

Written by The Hivemind | May 2, 2025 6:12:14 PM

Verticals Targeted: Cryptocurrency, Social Media, Communications
Regions Targeted: Russia, United Kingdom, Germany, Netherlands, Brazil
Related Families: Dwphon, MobOk

Executive Summary

The Triada trojan has evolved into a sophisticated firmware-embedded threat, targeting Android devices with custom modules to steal cryptocurrency and compromise popular applications like Telegram and WhatsApp. Its persistence and modular architecture pose significant risks to users and organizations globally.

Key Takeaways

  • Triada is pre-installed in the firmware of counterfeit Android devices, infecting applications via the Zygote process.
  • Custom modules target cryptocurrency theft through wallet address swapping and QR code manipulation.
  • The Trojan compromises communication apps, exfiltrating sensitive data to command-and-control (C2) servers.
  • PolySwarm analysts consider Triada to be an evolving threat. 

What is Triada?

The Triada trojan, a persistent threat in the Android ecosystem, has resurfaced with advanced tactics that exploit modern device protections. Unlike earlier iterations that relied on exploiting vulnerabilities to gain root access, the latest Triada variant is embedded directly into the firmware of counterfeit Android devices. This pre-installation strategy bypasses traditional infection vectors, rendering the malware nearly impossible to remove due to Android’s read-only system partition restrictions. Kaspersky SecureList recently reported on Triada.

 Triada’s infection mechanism targets the Zygote process, a core component of the Android runtime that spawns all application processes. By injecting malicious code into Zygote, the trojan ensures that every application launched on the device is compromised, granting attackers pervasive control. The malware’s modular architecture allows it to deploy tailored payloads for specific applications, including Telegram, WhatsApp, TikTok, and various browsers such as Chrome, Opera, and Mozilla. These modules are downloaded from C2 servers as encrypted payloads, decrypted using XOR with distinct keys, and executed based on instructions from the server.

 A primary objective of Triada is cryptocurrency theft. The malware employs sophisticated techniques to intercept cryptocurrency transactions, such as monitoring running activities at preset intervals to detect withdrawal attempts. It conducts a depth-first search of graphical elements in the application’s current frame to identify blockchain-related fields. Triada then swaps the victim’s cryptocurrency wallet address with an attacker-controlled one. Additionally, the trojan manipulates image elements, replacing them with QR codes embedded with attacker wallet addresses, further facilitating theft.

 Beyond cryptocurrency, Triada targets communication and social media applications. For WhatsApp, two modules operate in tandem: one exfiltrates session data to the C2 server every five minutes, granting attackers full account access, while the other intercepts messaging functions to send and delete messages covertly. Similarly, a LINE module collects authentication data, including access tokens, every 30 seconds. Browser modules redirect legitimate URLs to advertising sites via TCP connections to the C2 server, with the potential to pivot to phishing attacks based on server instructions.

 The Trojan’s distribution is linked to supply chain compromises, with infected devices identified by subtle firmware naming discrepancies. High infection rates have been reported in Russia, the UK, Germany, Netherlands, and Brazil, underscoring its global reach. Related malware, such as the Dwphon loader and MobOk subscription Trojan, often accompanies Triada, amplifying the threat landscape. PolySwarm analysts consider Triada to be an evolving threat. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

f00daba779ce580025ff2ba51d900697f7b3b85baaf5bcd5050b25eabfeed173

c6f751da1edbfe5b1c93e14c115bf40ab90f1ffbde4c17c28708e584d027e891

c22452e28feddebbd7b4f11acd5f5f064a432f475e972ec6c3f3281ff6e4817d

4490ecc8fc96c1301e9cab3a8a665c937475946d27ad5d71f69aa170e28cabd3

 

You can use the following CLI command to search for all Triada samples in our portal:

$ polyswarm link list -f Triada

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post