Thousands of cheap Android phones being sold online are secretly loaded with malware designed to steal cryptocurrency and sensitive data, according to a warning from cybersecurity firm Kaspersky. These counterfeit devices contain a version of the notorious Triada Trojan, which gives hackers nearly full control of the infected phones before they even reach customers.

Kaspersky’s Dmitry Kalinin explained that this malware is embedded in the phone's firmware, allowing attackers to hijack processes and intercept data—including crypto wallet addresses. So far, hackers have funneled at least $270,000 worth of stolen crypto into their wallets, with the actual figure likely higher. The malware also targets privacy-focused coins like Monero, making stolen funds harder to trace.

Triada isn’t just limited to crypto theft. It can also steal login credentials, hijack two-factor authentication codes, and spy on messaging apps like WhatsApp and Gmail. What’s more alarming is that online sellers may unknowingly be distributing these compromised devices due to a breach somewhere in the supply chain.

So far, Kaspersky has identified 2,600 infections in multiple countries, with a majority of cases reported in Russia in early 2025. Triada was first discovered in 2016 but continues to evolve, making it one of the most dangerous Android threats to date.

Kaspersky advises users to buy smartphones only from trusted retailers and to install a reliable security app immediately. Other cybersecurity firms, including Microsoft and Threat Fabric, are also sounding the alarm over new crypto-targeting malware, some of which are designed to steal wallet seed phrases and hijack Chrome browser extensions.