An outfit called the Lemon Group has created a profitable business model from pre-infected Android devices, according to cybersecurity firm Trend Micro. The group claims to have a catalogue of nearly nine million Guerrilla-infected devices, a figure that may be exceeded in reality. Researchers have discovered that customers’ phones are being exploited for stealing one-time passwords and SMS messages, setting up unwanted accounts, serving unwanted ads and performing various other activities. Trend Micro claims that the operation has infected devices in 180 countries belonging to more than 50 mostly low-cost brands.
At the recent Black Hat Asia 2023 event, Trend Micro’s Fyodor Yarochkin, Zhengyu Dong and Paul Pajares revealed the far-reaching threats that hacked Android phones and other devices can pose. The researchers noted that Lemon Group’s malware campaign had overlapping functionality with the Trojan Triada, which actively intercepted users’ incoming and outgoing SMS messages for transaction verification codes, as well as invading their systems to manipulate search results and disrupt legitimate advertisements.
They found that Lemon Group implants tamper with the Zygote process in Android OS and became a part of every application on the hacked device. Additionally, their investigation revealed that the malware comprises a central plugin that loads multiple other plugins, each with particular purposes such as intercepting SMS messages and reading OTPs from messaging services like WhatsApp and Facebook.
One plugin enables the Guerrilla campaign to run a disposable phone number service for its customers, giving them the facility for onetime passwords and two-factor authentication for their online accounts. While some use such temporary phone numbers for privacy reasons, hackers use them for spamming and creating fake social media accounts, as well as engaging in other malicious activities. Another plugin lets Lemon Group rent out the infected device’s resources to customers, and others facilitate silent installations of apps that would ordinarily require permissions. The researchers believe that the operation is a form of harvesting data that can be sold to other threat actors as another monetisation scheme after infection.
Owners of low-cost Android devices have long borne the brunt of cybersecurity issues, with some devices shipping with malware pre-installed in the firmware, an issue that cybersecurity vendors have known about for years. In most instances, hacking has affected inexpensive devices produced by largely unfamiliar brands, as the tampering has resulted from an Android manufacturer adding features to a standard Android system image by outsourcing the task to a third party. Over the years, hackers have used firmware over-the-air updates to sneak in potentially harmful applications and malware.
However, the issue of malware being pre-installed on Android devices is becoming more dangerous for users. One example of this is the Trojan Triada, which overwrote and manipulated the core Zygote process in Android OS to operate mostly in the system’s RAM, making detection very difficult. The malware intercepted SMS transactions used for verification codes and manipulated search results, while also generating unwanted advertisements. Threat actors behind the malware infected devices with multiple versions of the malware which could not be removed by users without re-flashing the devices.
Trend Micro’s investigations suggest that the risks are likely to continue growing. The group’s researchers have broken the Lemon Group campaign into different businesses, each used for various monetisation techniques, such as heavy loading of advertisements using silent plugins pushed to infected phones. Moreover, the threats are spreading beyond Android smartphones to TVs, other devices and even children’s watches running Android-based systems. The researchers claim that any significant compromise on these devices could result in a significant profit for Lemon Group at the cost of legitimate users.
While the issue of pre-installed malware on Android devices may not be new, cybersecurity experts must remain vigilant as the nature and scale of the problem continues to evolve. Bad actors may look to develop new business models on various platforms, and cybersecurity measures must continue to adapt. Companies may benefit from protecting their devices by investing in security services and maintaining up-to-date cybersecurity measures.