Triada¶
Triada is a system-level Android trojan that evolved from a sophisticated rooting malware into a supply chain threat pre-installed in the firmware of budget Android devices. First identified by Kaspersky in 2016, it was the first malware observed injecting code into the Android Zygote process, the parent from which every application forks. By 2017, Triada had shifted from post-sale infection to pre-installation: Google confirmed that a third-party vendor in the OEM supply chain was inserting Triada into system images before devices reached consumers. As of 2025, Kaspersky continues to find new Triada variants pre-installed on counterfeit smartphones sold through online marketplaces.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2016 |
| Status | Active, new variants discovered in 2025 |
| Type | System-level trojan, supply chain backdoor |
| Attribution | Unknown threat actors; supply chain compromise attributed to a vendor using the name Yehuo or Blazefire (per Google) |
| Aliases | Triada, Backdoor.AndroidOS.Triada (Kaspersky), Android.Triada (Dr.Web) |
| Platform | Android |
Origin and Lineage¶
Kaspersky published the initial Triada analysis in March 2016, calling it the most advanced mobile trojan they had ever analyzed. At that time, Triada was a modular trojan that gained root access through known exploits and then injected itself into the Zygote process to persist across all applications. Its primary monetization was intercepting and modifying outgoing SMS messages for premium SMS fraud, redirecting payments from in-app purchases to attacker-controlled accounts.
By 2017, the malware's delivery model changed entirely. Rather than exploiting devices post-sale, Triada began appearing pre-installed in the firmware of budget Android devices. Google's Android security team published their analysis in June 2019, confirming that a third-party vendor (identified as Yehuo or Blazefire) had injected Triada into system images provided to OEMs. When manufacturers outsourced the implementation of features not included in the Android Open Source Project (like face unlock), the contracted vendor returned system images with Triada embedded. Krebs on Security covered the supply chain implications in detail.
The 2025 variant represents a further evolution. Kaspersky's April 2025 analysis found Triada (Backdoor.AndroidOS.Triada.z) pre-installed on counterfeit Android smartphones sold through online marketplaces, with over 4,500 infections detected worldwide. The threat actors had transferred approximately $270,000 in cryptocurrency through wallets linked to the operation between June 2024 and March 2025.
Distribution¶
Triada's distribution model is distinct from virtually every other malware family: rather than tricking users into installing a malicious app, the malware is already present when the device is first powered on.
Supply Chain Compromise¶
| Phase | Method |
|---|---|
| 2016 | Post-sale rooting: exploits known kernel vulnerabilities to gain root, then injects into Zygote |
| 2017-2019 | OEM supply chain: third-party vendor inserts Triada into system images provided to budget phone manufacturers |
| 2024-2025 | Counterfeit devices: pre-installed in firmware of fake smartphones sold through online marketplaces |
The supply chain infection occurs at a point in the manufacturing process where the OEM has contracted an outside vendor to customize the firmware. The vendor, either compromised or complicit, inserts Triada into the system partition before the image is flashed onto devices. Because Triada resides in the system partition, it cannot be removed through a factory reset.
Which Devices¶
Triada primarily targets budget Android devices from lesser-known manufacturers. These devices are sold through:
- Online marketplaces and e-commerce platforms
- Unauthorized retailers
- Markets in developing regions where budget Android phones are prevalent
The 2025 campaign specifically targets counterfeit phones that visually imitate well-known brands but run modified firmware with Triada embedded.
Capabilities¶
Triada's capabilities have expanded significantly across its versions.
Early Versions (2016)¶
| Capability | Implementation |
|---|---|
| Zygote injection | Inject code into the Zygote process, gaining execution context in every newly launched application |
| SMS hijacking | Intercept and modify outgoing SMS messages to redirect premium SMS payments |
| Ad fraud | Inject advertising into applications and browsers |
| Module loading | Download and execute additional modules from C2 |
Supply Chain Versions (2017-2019)¶
| Capability | Implementation |
|---|---|
| System-level persistence | Installed in system partition, survives factory reset |
| Backdoor access | Remote command execution from C2 |
| App installation | Silently download and install additional APKs |
| Data exfiltration | Steal device identifiers, account information |
| Ad injection | Insert advertisements across applications |
| Browser manipulation | Redirect browser traffic, inject content |
Current Versions (2024-2025)¶
Kaspersky's 2025 analysis documents an expanded set of capabilities:
| Capability | Implementation |
|---|---|
| Cryptocurrency theft | Replace wallet addresses in clipboard to redirect crypto transactions |
| SMS interception | Read, send, and delete SMS messages (including OTP interception) |
| Call manipulation | Make calls and intercept incoming calls |
| Browser hijacking | Replace links in browsers, inject pages |
| Messenger interception | Extract messages and media from WhatsApp, Telegram, and other apps |
| Account theft | Steal credentials for social media and messaging applications |
| App installation | Download and install arbitrary APKs silently |
| DNS manipulation | Redirect network requests by modifying DNS resolution |
| Premium SMS fraud | Subscribe victims to premium services via SMS |
The 2025 variant can attack any application running on the device because it operates at the system level with full privileges.
Technical Details¶
Zygote Injection (Original)¶
The original Triada's most significant technical innovation was Zygote process injection. Zygote is the Android system process that serves as the template for every application process. When a new app launches, the system forks Zygote to create the new process. By injecting code into Zygote, Triada ensured its code was present in every application on the device, providing:
- Access to the memory space of every running application
- Ability to hook and modify function calls within any app
- Persistence that survives app-level cleanup (only a system wipe removes it)
This existed primarily in the device's RAM, making file-based detection difficult. Kaspersky noted this was the first time such a technique had been observed in the wild, although it had existed as a proof-of-concept.
System Partition Installation (Supply Chain)¶
In the supply chain variant, Triada is compiled into the system image:
- Located in
/systempartition, which is read-only under normal operation - Executes with system-level privileges (UID 1000 or root)
- Cannot be removed through factory reset because the factory image itself contains the malware
- Only reflashing with a clean firmware image removes it
Google's analysis described the infection as "inconspicuously included in the system image as third-party code for additional features requested by the OEMs."
C2 Communication¶
Triada uses HTTPS for C2 communication. The C2 infrastructure delivers:
- Module updates and new capabilities
- Tasking instructions (which ads to display, which SMS to intercept)
- Additional APKs for installation
- Configuration updates (target lists, wallet addresses)
Monetization¶
| Revenue Stream | Method |
|---|---|
| Ad fraud | Inject ads into legitimate apps, generate fraudulent impressions |
| Premium SMS | Subscribe victims to premium services, intercept confirmation SMS to prevent cancellation |
| Cryptocurrency theft | Replace wallet addresses in clipboard during copy-paste operations |
| Credential sale | Stolen account credentials sold on underground markets |
| Backdoor access | Persistent device access can be sold or leased to other threat actors |
The 2025 variant's cryptocurrency theft alone generated $270,000 in approximately nine months.
Known Deployments and Targets¶
| Region | Context | Period |
|---|---|---|
| Global (budget devices) | Pre-installed on budget Android devices from various manufacturers | 2017-2019 |
| Russia (primary) | Highest concentration of 2025 variant infections | 2024-2025 |
| UK, Netherlands, Germany | Secondary infection clusters | 2024-2025 |
| Brazil, UAE | Additional infection clusters | 2024-2025 |
| China (manufacturing) | Source of supply chain compromise in OEM firmware | 2017-present |
Unlike targeted spyware, Triada is indiscriminate: anyone who purchases an affected device is compromised. The economic incentive is volume-based fraud rather than intelligence collection.
Notable Campaigns and Discoveries¶
March 2016: Kaspersky publishes the initial Triada analysis, identifying it as the most advanced mobile trojan at the time. The Zygote injection technique is documented for the first time in the wild.
2017: Triada evolves from a rooting trojan to a supply chain threat. Google begins identifying pre-installed Triada variants on new devices.
June 2019: Google's Android security team publishes "PHA Family Highlights: Triada", confirming that a third-party vendor (Yehuo/Blazefire) injected Triada into system images during the manufacturing process. Google details how they worked with OEMs to distribute clean updates and implemented the Build Test Suite to scan system images for threats.
June 2019: Krebs on Security reports on the supply chain attack, tracing the compromise through the Android OEM ecosystem and highlighting the systemic risk in budget device manufacturing.
August 2021: Kaspersky discovered Triada embedded inside a modified WhatsApp build (FMWhatsApp) distributed via third-party app stores, with the trojan injected through a malicious advertising SDK.
2019-2023: Multiple security firms continue to identify Triada pre-installed on budget devices from various manufacturers. Google's Build Test Suite catches some instances before devices ship, but the problem persists in devices sold through channels outside Google's certification program.
March-April 2025: Kaspersky publishes a comprehensive analysis of the latest Triada variant (Backdoor.AndroidOS.Triada.z), found on counterfeit smartphones. The new version demonstrates expanded capabilities including cryptocurrency theft ($270,000 confirmed), messenger interception, DNS manipulation, and the ability to attack any application on the device. Over 4,500 infections detected across multiple countries.
Related Families¶
Necro follows a similar supply chain approach at the SDK level, compromising legitimate apps through the malicious "Coral SDK" to reach 11 million+ users on Google Play. Goldoson also used an SDK-based supply chain attack, affecting 60+ apps with 100M+ downloads. While Triada operates at the firmware level, these families demonstrate the same principle: compromising the software supply chain to reach massive install bases without requiring users to install a malicious app.