Adex, the anti-fraud and traffic-quality platform within AdTech Holding, has successfully uncovered and blocked a large-scale Android malware distribution campaign linked to the Triada Trojan, a persistent and highly evasive mobile threat.
The investigation revealed that the attackers leveraged trusted advertising networks, compromised advertiser accounts, and forged identities to distribute malicious APK files disguised as legitimate app promotions or software update notifications.
Industry data indicates that Triada accounted for 15.78% of all Android malware infections in Q3 2025, highlighting its continuing prevalence in the global mobile malware landscape.
Triada Trojan: A Persistent Mobile Threat
Originally known for injecting malicious code into system processes and intercepting communications, Triada has evolved into a modular backdoor capable of financial fraud and stealthy payload delivery. Attackers frequently exploit high-trust ad network environments, making the malware exceptionally difficult to detect.
Multi-Year Campaign and Technical Evolution
Adex analysts documented three major phases of Triada activity since 2020:
- 2020–2021: Identity Forgery & Early Distribution
- Attackers bypassed identity verification (KYC) requirements.
- Fraudulent advertiser accounts distributed malware via Discord CDNs and URL-shortening services.
- Landing pages were disguised to mimic popular online services, deceiving both moderators and users.
- 2022–2024: Account Takeovers & GitHub Payloads
- Focus shifted to taking over advertiser accounts without two-factor authentication.
- Compromised accounts launched cloaked campaigns redirecting users to GitHub-hosted malware payloads.
- Leveraging GitHub’s domain credibility increased trust while concealing malicious intent.
- 2025: Sophisticated Multi-Stage Campaigns
- Phishing pre-landing pages mimicked Chrome browser update prompts.
- Multi-stage redirect chains evaded detection.
- Suspicious login activity traced to Turkey and India, suggesting organized threat actors coordinated across regions.
In total, over 500 compromised advertiser accounts were identified and banned across multiple platforms.
Strengthening Ad Network Defenses
Following the Triada investigation, Adex implemented an enhanced business-protection framework in partnership with PropellerAds, adopting a zero-trust security model for all advertiser accounts. Key measures include:
- Strict KYC authentication via Sumsub to prevent identity forgery
- Mandatory two-factor authentication (2FA) for all advertiser accounts
- Continuous login anomaly detection to flag suspicious activity
- Redirect and domain verification for all hosts, including trusted platforms like GitHub and Discord
Adex confirmed these measures significantly reduced malware distribution through ad networks and raised the difficulty level for attackers attempting similar campaigns.
Key Takeaways for the AdTech Industry
The Triada malware case demonstrates how modern threat actors exploit trusted platforms and reputable domains to deliver malicious payloads. The investigation reinforces the need for:
- Continuous validation of advertiser accounts
- Proactive security oversight at every stage of digital advertising
- Zero-trust approaches to prevent unauthorized access and malware propagation
Adex’s success highlights the importance of combining anti-fraud measures, identity verification, and continuous monitoring to safeguard mobile users and protect digital advertising ecosystems from persistent threats like Triada.
