Imagine you got the latest phone released at a steal price—almost 50% off the market price. You brag about the killer deal with your friends and recommend that they get their phones in the same spot. Then you take your phone home, backup your WhatsApp, add your bank application, add your crypto wallet, and get your phone set up. And then you add two-factor authentication for extra security. However, one fine day, you open your crypto wallet, only to find that it has been drained.
Now you go back and check what you did wrong, but you don’t find a trace of anything that you did wrong. What you did not know is that the phone you bought for a killer deal was pre-installed with the malware by hackers. This is called the fake phone crypto scam.
The fake phone doesn’t look anything different from a normal phone. It is just another phone that has the company’s brand name and works like any other. And you will not have a hint of suspicion and will go about using it. However, the phone comes pre-installed with a malware called Triada Trojan.
What is the Triada Trojan and how does it work?
Triada is a modular mobile Trojan that targets banking and financial applications, and some popular communication applications like WhatsApp, Facebook, and Google Mail. According to the dark trace website, the malware “attempts to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds.
Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft.”
How the hackers access data
Once installed, the trojan malware collects information about the system, the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. Thereafter, the server responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.
Once the device has been successfully infected by Triada, malicious actors will have full control over the device. They will be able to monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone.
Kaspersky Labs cybersecurity expert Dmitry Kalinin stated that once the trojan grants the attackers access to devices, they can steal crypto by replacing wallet addresses.
How to avoid these scams
Purchase from reputable dealers
Make sure to buy your phone from authorized dealers and avoid getting it from less reputable online stores and marketplace auction. If there is a significant difference in the price of the product than the price it is sold in general, avoid it unless you are 100% sure about the seller. You could check for Google reviews of the seller, or enquire about their products with someone well versed in the local market.
However, there could be instance where the seller not knowingly might sell an infected phone, as certain stages of the supply chain might have been compromised. Hence, always better stick to the major dealers although it may be a touch expensive.
Look for abnormal phone activity
If your battery drains fast or if you get unexpected pop-ups from nowhere, keep a close eye on your phone. And if there are messages or links with a prompt to click, dont click on those.
Keep crypto in cold storage
It is a healthy practise to keep all your long term digital assets in an offline storage, that is not connected to the internet. By doing this you could minimize the losses even in the event an attack is attempted.
