A cybercrime enterprise known as the Lemon Group reportedly pre-installed malware on almost 9 million Android-based smartphones, watches, TVs, and TV boxes. The threat actors used the malware called 'Guerrilla' to load additional payloads on the infected devices, intercept one-time passwords from SMS messages and set up a reverse proxy from the infected device. They also hijacked WhatsApp sessions from the infected devices.
Trend Micro, whose analysts discovered the cybercrime enterprise (naming them the Lemon Group), presented details about it at the recent BlackHat Asia conference. They found some overlap between the infrastructure of this operation and that of the Triada trojan from 2016. The latter was a banking trojan found pre-installed in 42 Android smartphone models from low-cost Chinese brands that sell their products globally.
Infected Millions of Android Devices with Guerrilla Malware
This newly released report from Trend Micro reveals how the criminal group infected millions of Android devices with Guerrilla malware, turning them into mobile proxies. The infection steals and sells SMS messages, social media accounts, online messaging accounts and monetizes via advertisements and click fraud.
Trend Micro believes the infected devices are distributed globally, with the threat actor controlling devices in more than 180 countries. The countries most significantly effected includes the US, Mexico, Indonesia, Thailand and Russia.
They have been tracking and reporting on the groups activities since 2021 and after a different report they released on the operations of Lemon Group in February 2022, the group changed their operation name. Trend Micro stated “In May, they removed some traces of ‘Lemon’ and rebranded as ‘Durian Cloud SMS.’ However, the servers are still the same and intact.”
Although the investigation focused mainly on pre-infected mobile devices, other IoT devices being infected by Lemon Group or other similar threat groups, includes smart TVs, Android TV boxes and Children’s Android-based watches. Trend Micro has not elaborated on how Lemon Group initially infects devices, however they give a clear picture of how the primary plugin for the Guerrilla malware loads additional plugins dedicated to carrying out specific functionality.
- SMS plugin: Capable of intercepting received SMS and read specific messages such as one-time passwords (OTP) from various platforms such as WhatsApp and Facebook.
- Proxy Plugin: Creates a reverse proxy from the infected phone allowing the attackers to use the devices network resources.
- Cookie Plugin/ WhatsApp plugin: A plugin for the app Facebook Cookie dumps the app's cookies and exfiltrates them to the C2 server. The plugin also hijacks WhatsApp sessions to disseminate unwanted messages from compromised devices.
- Splash plugin: Hooks popular apps to intercept specific activities such as launching event request ads from advertisements. Victims will see unexpected ads while launching official apps on their devices.
- Silent Plugin: Installs additional APKs or uninstalls existing applications as instructed. The installation and app launch are "silent" in the sense that they take place in the background.
It is of obvious concern to learn that mobile phones may come pre-infected with malicious firmware before they are even delivered to the customers and this Trend Micro Report will help and make organizations more aware of this type of threat.
