{"id":5234,"date":"2025-12-04T07:57:20","date_gmt":"2025-12-04T07:57:20","guid":{"rendered":"https:\/\/adex.com\/?p=5234"},"modified":"2026-04-23T10:54:28","modified_gmt":"2026-04-23T10:54:28","slug":"triada-malvertising-case-study","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/","title":{"rendered":"Inside the Triada Battle: A Five-Year Investigation and the Security Upgrades It Triggered"},"content":{"rendered":"\n

Adex, an anti-fraud platform that helps advertisers detect suspicious events within their traffic immediately, has recently uncovered a new generation of the notorious Triada malware \u2013 a threat we\u2019ve been battling since 2020. <\/p>\n\n\n\n

Over the past years, this Trojan has grown increasingly aggressive and sophisticated. Today, every major ad network faces its impact, as Triada continuously evolves, deploying new fraud schemes, data-theft techniques, and methods to hijack advertiser accounts and budgets.<\/p>\n\n\n\n

Read on to discover how Adex experts and Business Security & Compliance teams of the PropellerAds advertising platform traced and exposed a fraud ring that attempted to use advertiser accounts across major ad networks to distribute Android malware, in some cases through reputable platforms, like GitHub and Discord.<\/p>\n\n\n\n

\n\n\n\n

What is Triada and How Attackers Profit From It?<\/h2>\n\n\n\n

Triada<\/a> is an Android Trojan first identified in 2016. It began as a modular backdoor and rootkit, granting attackers privileged access and enabling the malware to infiltrate deeply into Android system processes. <\/p>\n\n\n\n

What started as an advanced Android backdoor has evolved into a fully fledged mobile cybercrime tool, growing more sophisticated with every new iteration.<\/p>\n\n\n\n

Over time, Triada has significantly expanded its capabilities: it can steal sensitive data, hijack communication apps, inject unwanted ads, subscribe users to paid services, and even replace cryptocurrency wallet addresses. Its scale is especially alarming because it targets major apps millions rely on daily \u2013 including WhatsApp, Facebook, and Gmail.<\/p>\n\n\n\n

According to the latest statistics, in the third quarter of 2025 alone, Triada ranked among the leading mobile threats, accounting for 15.78% of all detected infections.<\/a><\/p>\n\n\n\n

But how does it reach the device?<\/p>\n\n\n\n

Triada spreads through several channels, each designed to maximize reach and monetization. Here are the main methods attackers use:<\/p>\n\n\n\n

1. Infection via Modified Apps<\/strong><\/h3>\n\n\n\n

A major distribution vector has been modified Android apps such as FMWhatsApp or YoWhatsApp. These unofficial versions were often promoted via paid ads or social media posts, luring users with claims like \u201cenhanced WhatsApp with even more features.\u201d <\/p>\n\n\n\n

\"adex-triada-case-study-fake-whatsapp-app\"<\/a><\/figure>\n\n\n\n

Screenshot from suspended campaign<\/em><\/p>\n\n\n\n

2. Pre-installation on Counterfeit Devices<\/strong><\/h3>\n\n\n\n

In 2025, a massive campaign was uncovered: Triada was preinstalled on counterfeit Android smartphones sold through online marketplaces<\/a>. These phones were heavily advertised as \u201ccheap, limited-time offer devices\u201d.<\/p>\n\n\n\n

When purchased, the Trojan was already present in the firmware, activating on first boot.<\/p>\n\n\n\n

Fraudulent Schemes<\/strong><\/h3>\n\n\n\n

After the device is infected, Triada can activate one or multiple advertising-related and traffic-manipulation techniques, including:<\/p>\n\n\n\n