Cybercriminal gang Lemon Group has been discovered to have preinstalled Guerrilla malware on roughly 8.9 million Android-based smartphones, TV boxes, TVs and watches across the world. As a result of the malware, attackers can intercept one-time passwords (OTPs) from SMS texts, infiltrate WhatsApp sessions, install loaded additional payloads and host a reverse proxy from the infected device. Researchers from cybersecurity firm Trend Micro found that the hackers used the infected devices to steal SMS messages, set up and sell social media accounts for businesses and conduct click fraud. The infected devices have been sent to over 180 countries, including the US, Mexico, Thailand, Russia, South Africa, and India.
Researchers from Trend Micro bought an infected phone and analysed it from a forensic perspective. They noted that the system library on the infected phone had been tampered with to inject code into a function called println_native, which was later used to decrypt a DEX file. This file was used to run the Guerrilla malware’s main plugin, known as Sloth, and provide configuration values, including a Lemon Group domain name for help with its communication.
Third-party firms employed by device manufacturers sometimes install malware on Android devices, Trend Micro said in its report. The research identifies a firm that produces mobile phone firmware components and similar items for Android Auto, a mobile app that acts like an Android smartphone when used on a vehicle entertainment unit. This raises the possibility that in-car entertainment systems are already infected. The Lemon Group’s primary business employs big data to collect hardware and software data alongside manufacturers’ shipments and advertising content. It reportedly uses this data to infect and monitor customers to ensure they receive other apps.
The main plugin for the Guerrilla malware loads additional plugins that perform specific functions. The SMS Plugin, for instance, intercepts one-time passwords for Facebook, JingDong, and WhatsApp received through SMS messages. The Cookie Plugin extracts Facebook cookies from the data directory of the app and sends them to the C2 server. Lemon Group then uses this to collect big data. Splash Plugin is responsible for displaying intrusive ads to victims while they are using legitimate applications. The Silent Plugin installs additional APKs or deletes already-existing apps after receiving instructions from C2 servers.
Trend Micro noted that the Lemon Group’s infrastructure and some of its functionality overlap with the Triada Trojan operation from 2016. Banking Trojan Triada was found to be preinstalled on 42 smartphone models from low-cost Chinese brands. “We believe that these two groups collaborated in some way because we observed some overlap of their C&C server infrastructure,” Trend Micro said. The Lemon Group was identified for the first time in February 2022 before rebranding to the name Durian Cloud SMS. Nonetheless, the infrastructure continues to operate under the same tactics and modus operandi.
This news should serve as a warning. Lemon Group and Triada Trojan’s collaboration evinces the sophistication of cybercriminals and highlights the potential for widespread malware contamination when it comes to Android devices. Organizations must be vigilant, given the technical and financial impact of a single malware attack, and they must educate their users on the dos and don’ts of cybersecurity in a bid to protect themselves.