Triada Malware Infects Android Devices via Fake Telegram App

Fortunately, the infected version of Telegram carrying Triada malware is being distributed through third-party stores rather than the official Google Play Store.

The malicious version of the Telegram app containing Triada is cleverly disguised as the latest version of Telegram Messenger, specifically version 9.2.1.

Check Point Software Technologies’ recent research highlights a concerning trend: a circulating fake Telegram messenger app that infects Android devices with Triada malware upon installation. It’s crucial to be aware that, unlike other malicious apps, this app cannot be found on Google Play Store, but rather on third-party app stores.

Given the widespread popularity of Telegram as one of the most commonly used messaging apps globally, it comes as no surprise that scammers and cybercriminals target it for their malicious activities. If you have unknowingly downloaded this fake app, your device may have fallen victim to malware.

The malicious Telegram app operates by acquiring privilege escalation on the system to initiate the malware. This can be achieved if the user grants phone permissions during the signup process. Once this access is granted, the malware can effortlessly self-inject into other processes, enabling it to carry out a range of malicious activities.

Triada Malware Infects Android Devices via Fake Telegram App
Fake Telegram at work (Image provided to by Check Point)

Fortunately, Check Point’s security product, Harmony Mobile, plays a crucial role in safeguarding against Triada malware-infected apps. It scans for such apps and proactively blocks them from infecting the device or causing any additional harm.

It is important to highlight that earlier research on Triada has already demonstrated its persistence, with Google confirming the presence of this malware in inexpensive Android phones.

These affected devices include models from various companies such as Leagoo, ARK Benefit, Zopo Speed, Doogee, Cherry Mobile Flare, and several others. This further underscores the need for vigilance and security measures, as Triada’s reach has extended to a wide range of devices in the market.

How Do Attackers Trick Users?

The malicious version of the Telegram app containing Triada (VirusTotal sample) is cleverly disguised as the latest version of Telegram Messenger, specifically version 9.2.1. To make the modified version appear legitimate, attackers have employed tactics such as using a package name (org.telegram.messenger) that resembles the genuine app and utilizing the app’s verified icon.

Upon initiating the downloaded app for the first time, users are presented with a login window that perfectly replicates the original app’s home page. To proceed with registration, users are prompted to enter their phone number and grant access to device permissions.

Subsequently, the malicious app inserts detrimental code into the device under the guise of an internal application update service. Operating discreetly in the background, the malware initiates its malicious activities, which involve gathering device information, retrieving configuration files, and establishing communication channels.

Triada Capabilities

In a report shared with, Checkpoint researchers outlined the various operations that Triada malware can carry out. These include enrolling victims in multiple paid subscriptions, displaying invisible and background ads, and making unauthorized in-app purchases using SMS and phone numbers. Additionally, Triada has the ability to steal sensitive data, including passwords, from compromised devices.

Researchers have observed a rise in modified versions of mobile apps in recent times. These modified apps entice users with new features and additional customization at low prices. However, once these apps are downloaded, they unleash malware onto the user’s device.

The risk of installing modified versions comes from the fact that it is impossible for the user to know what changes were actually made to the application code. To be more precise – it is unknown what code was added and whether it has any malicious intent.

Check Point

To ensure protection, it is crucial to refrain from downloading software from untrusted sources. Users should always verify the app’s developer and confirm the ownership of the company before downloading any application. This cautious approach can help mitigate the risk of malware infections and protect sensitive data.


  1. Android apps on APKPure store spreading Triada malware
  2. Triada malware pre-installed on thousands of Android phones
  3. Malware Attack Imitates VPN and Security Apps on Android Phones
  4. Fake reviews, 3rd-party apps cause 50% of threats against Android
  5. Popular Android Screen Recorder iRecorder App Revealed as Trojan
Related Posts