“Guerilla” Malware Found Preinstalled on Android Devices

A significant cybercrime enterprise known as the "Lemon Group" has been discovered, pre-installing sophisticated malware on potentially 9 million Android-based smartphones, watches, TVs, and TV boxes worldwide.

The group utilizes “Guerrilla” malware to perform a range of malicious activities, including intercepting one-time passwords from SMS messages, setting up reverse proxies (allowing a cybercriminal to use the network resources of the device), hijacking WhatsApp sessions, and more.

The extensive criminal operation was exposed by cybersecurity firm Trend Micro, whose analysts presented their findings at the recent BlackHat Asia 2023 conference. According to Trend Micro's report, the Lemon Group's infrastructure appears to overlap with the notorious Triada trojan operation from 2016. Triada was a trojan found pre-installed on a number of Android smartphone models.

Trend Micro first uncovered the Lemon Group in February 2022, after which the group rebranded as "Durian Cloud SMS." The primary business of the Lemon Group involves the exploitation of big data, analyzing shipment characteristics, advertising content, and hardware data to target specific regions and display tailored advertisements.

The infection process used by the Lemon Group to implant the Guerrilla malware remains unknown. However, Trend Micro's analysts discovered that infected devices had been reflashed with new ROMs (the operating system that runs the device), with over 50 different ROMs identified as ‘infected’ across various Android device vendors.

Trend Micro warns that the Lemon Group has previously claimed to control nearly 9 million infected devices in 180 countries. The countries most affected include the United States, Mexico, Indonesia, Thailand, and Russia. Whether this number is accurate or an overstatement from the threat actors is unknown.

Trend Micro has detected 490,000 phone numbers were being used for one-time password requests via Lemon SMS, and later, Durian SMS services. These passwords were used to access WhatsApp, Facebook, and JingDong, and more. This finding indicates that a sizable number of infected devices are in use throughout the world.

The cybersecurity firm has identified over 50 brands of mobile devices infected with the Guerrilla malware. Furthermore, Trend Micro reports that the malware has also been detected on Android-based smart TVs, TV boxes, smartwatches for kids, and other products.

The investigation is ongoing, and it remains crucial for users to maintain up-to-date security measures and exercise caution when purchasing Android devices from unknown or unofficial sources.