How to use Kaspersky for Android on possibly compromised device?

hughtrimble

hughtrimble

hughtrimble

Soldato
Joined
22 Jan 2014
Posts
3,898
Howdy,

I have received a TTfone 280, and there are some reports that some handsets have the Triada trojan:

Reddit - The heart of the internet

www.reddit.com www.reddit.com
www.kaspersky.co.uk

Triada: a Trojan pre-installed on Android smartphones out of the box

An updated version of the Triada mobile Trojan is built into the firmware of smartphones offered by online stores. It steals everything it can: from cryptocurrency to Telegram, WhatsApp, and other social media accounts.
www.kaspersky.co.uk www.kaspersky.co.uk

Users report the only consumer anti-virus software which seems to detect it, is Kaspersky's and the others like AVG and Malwarebytes do not.

To install it, I'll need to download Kaspersky (which is a paid-for app) and to do so I'll need to make a (fresh) Play Store account and pay for it, thus exposing that payment method/account possibly to this trojan.

Is there a way to pay for/install Kaspersky for Android without exposing payment/account details on that same device?

Hugh
 
Probably a better fit in the mobile forums.

Even if Kaspersky can detect it, if the trojan is integrated at a system level then there's no way to remove it. You're better off waiting for TTfone to release a clean system image, then wipe the phone and flash that.
 
hughtrimble said:
Howdy,

I have received a TTfone 280, and there are some reports that some handsets have the Triada trojan:

Reddit - The heart of the internet

www.reddit.com www.reddit.com
www.kaspersky.co.uk

Triada: a Trojan pre-installed on Android smartphones out of the box

An updated version of the Triada mobile Trojan is built into the firmware of smartphones offered by online stores. It steals everything it can: from cryptocurrency to Telegram, WhatsApp, and other social media accounts.
www.kaspersky.co.uk www.kaspersky.co.uk

Users report the only consumer anti-virus software which seems to detect it, is Kaspersky's and the others like AVG and Malwarebytes do not.

To install it, I'll need to download Kaspersky (which is a paid-for app) and to do so I'll need to make a (fresh) Play Store account and pay for it, thus exposing that payment method/account possibly to this trojan.

Is there a way to pay for/install Kaspersky for Android without exposing payment/account details on that same device?

Hugh
Click to expand...
Can you download the APK for it and side load it on to the phone instead of going through the store?
 
Orcvader said:
Probably a better fit in the mobile forums.

Even if Kaspersky can detect it, if the trojan is integrated at a system level then there's no way to remove it. You're better off waiting for TTfone to release a clean system image, then wipe the phone and flash that.
Click to expand...
Ah my bad, I didn't see the software for PC vs mobiles, sorry.

My plan was to see if it's found, and if yes, return it. The customer service team there were being helpful in how to check (which I found surprising and somewhat refreshing as I expected them denying it could possibly be on there!).

One Reddit thread suggests the firmware has been updated, and I received the phone just today. But I'd like to check it has indeed gone, though also aware that these tools can't find everything and it could well be something else has replaced it.

To flash it, wouldn't that require connecting it up to a PC to do? I have zero idea how 'contagious' this stuff is in terms of going from the phone to other devices running a different OS.
 
ED209 said:
Can you download the APK for it and side load it on to the phone instead of going through the store?
Click to expand...
Thank you for this suggestion - I now have the APK downloaded from Kaspersky using the phone's browser. However, it requires payment to activate! There is an activation code option I can use instead, so may buy a licence on another device and use the provided code; seems to be one of the safest options?
 
AthlonXP1800 said:

Reddit - The heart of the internet

www.reddit.com www.reddit.com

Try check for new firmware update, you should see 28 October 2025 update then download and update it. Users reported issue is resolved with new firmware update released on 28 October 2025 after they scanned with Kaspersky anti-virus again found no traces of Triada trojan on the phone.
Click to expand...
Yes, mine does indeed have that firmware already. I've also found the free Kaspersky scanner (behind their various payment insisting sections and prompts to activate a paid version).

The reports section which is hidden in the settings area and not out front, shows 2665 files scanned and nothing detected. So it's looking positive.
 
hughtrimble said:
To flash it, wouldn't that require connecting it up to a PC to do? I have zero idea how 'contagious' this stuff is in terms of going from the phone to other devices running a different OS.
Click to expand...
Yes it requires a PC, it usually requires you to put the phone into fastboot mode which is a type of recovery mode that doesn't load anything from the OS. But that's assuming the phone manufacturer hasn't blocked it.

Assuming Kaspersky is right though, seems the update has removed the trojan, so you should be fine now.
 
The reddit post says that system file `/system/lib/libandroid_runtime.so` is compromised.

Because of the way Android is designed, you as a user (or an app you install) cannot make any changes to those files. Kaspersky can do nothing other than potentially confirm if you have the compromised file on your phone - but I also wouldn't trust a user level app to be able to reliably or accurately detect such a thing in a system file.

Honestly it sounds like the phone is untrustworthy thrash; consider any accounts you've logged into the device with compromised, change passwords and get a new phone from a reputable brand. The company has huge problems if they've allowed this into a shipping firmware image.
 
Last edited:
Orcvader said:
Yes it requires a PC, it usually requires you to put the phone into fastboot mode which is a type of recovery mode that doesn't load anything from the OS. But that's assuming the phone manufacturer hasn't blocked it.

Assuming Kaspersky is right though, seems the update has removed the trojan, so you should be fine now.
Click to expand...
Thank you
 
andshrew said:
The reddit post says that system file `/system/lib/libandroid_runtime.so` is compromised.

Because of the way Android is designed, you as a user (or an app you install) cannot make any changes to those files. Kaspersky can do nothing other than potentially confirm if you have the compromised file on your phone - but I also wouldn't trust a user level app to be able to reliably or accurately detect such a thing in a system file.

Honestly it sounds like the phone is untrustworthy thrash; consider any accounts you've logged into the device with compromised, change passwords and get a new phone from a reputable brand. The company has huge problems if they've allowed this into a shipping firmware image.
Click to expand...

I appreciate your warnings; thankfully I read it was a potential issue before it arrived, so I've not used any real accounts on it. I already have a Pixel 9, this ttfone was to bridge the gap to a dumbphone, simply because it can get WhatsApp and some other useful apps on it.

I have yet to add WhatsApp, but it's also a case of never really knowing what's on your device anyway, isn't it?

Some of this stuff is so deeply embedded that you can never know for sure, even on top dollar flagships. Hugely less likely of course given they're rather more careful with their reputations than smaller manufacturers.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom