Triada Trojan Secretly Draining Crypto from Android Devices

The malware, known as Triada, allows attackers to access nearly everything on the phone. It can read text messages, gather login details, and change cryptocurrency wallet addresses during transactions. This lets the attackers quietly move funds to their own accounts without the user noticing.

Kaspersky found that around $270,000 of digital assets had already been moved to wallets linked to the attackers. However, this number may be higher, especially since they also targeted Monero XMR $216.15 , a type of cryptocurrency that is difficult to trace.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is an Automated Market Maker in Crypto? (Animated)

SUBSCRIBE

ON YOUTUBE

What makes the threat harder to detect is that the malware is installed before the phone ever reaches the buyer. Some sellers may be unaware that the devices they offer are already compromised. Kaspersky's experts believe that somewhere along the supply chain—perhaps during production or shipment—the phones are being tampered with.

Over 2,600 infections have been confirmed, mostly in Russia, and all reported within the first three months of 2025. Triada, which has been around since 2016, was initially used to target financial apps and messaging platforms like WhatsApp and Gmail, which often spread through fake apps or misleading links.

According to Dmitry Kalinin from Kaspersky, Triada remains one of the most serious threats to Android users, as it gives attackers ongoing access without the victim realizing it.

On March 28, ThreatFabric, a cybersecurity company, discovered an Android malware called Crocodilus. How does this malware work? Read the full story.