A Cybercrime enterprise, "Lemon Group", pre-installed ‘Guerilla' malware, exploiting 9 million pre-infected Android devices worldwide.
A Cybercrime enterprise, "Lemon Group", pre-installed ‘Guerilla' malware, exploiting 9 million pre-infected Android devices worldwide.
The infections are globally spread across over 180 countries, and the malware compromised over 50 brands of mobile devices. The countries most significantly impacted include the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.
Sophos first documented Guerilla in 2018 when it discovered 15 apps uploaded on the play store that harbored functionality to engage in click fraud and act as a backdoor.
The malware was first exposed in February 2022, shortly after the threat actor changed the name of the undertaking from Lemon to "Durian Cloud SMS." However, the attackers' approaches remained unchanged.
The threat actors use Guerilla to load additional payloads, set up a reverse proxy from the infected device, intercept one-time passwords from SMS, hijack WhatsApp sessions, and more.
Trend Micro reported, whose analysts discovered the massive criminal enterprise and presented details about it at the recent BlackHat Asia conference, some of the attackers' framework overlaps with the Triada trojan operation from 2016. Trojan was a banking trojan found pre-installed in 42 Android smartphone models from low-cost Chinese brands that sell their products globally.
The analysts identified over 50 ROMs infected with initial malware loaders, targeting various Android vendors. The attackers have infected millions of Android devices, mainly mobile phones, smart watches, smart TVs etc.
The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetisation via advertisements and click fraud.
Each of the Guerilla plugins serves additional plugins to carry specific functionality, including:
Cookie plugin: Dumps users' Facebook cookies and other profile information. It also hijacks WhatsApp sessions and sends unwanted messages.
Proxy plugin: Sets up a reverse proxy from the infected phone and allows the attackers to utilise the victims' network resources.
SMS plugin: Intercepts OTP(one-time passwords) for WhatsApp, JingDong, and Facebook received via SMS.
Splash plugin: serves intrusive ads to victims when they are using legitimate apps.
Silent plugin: Installs additional APKs received from the C2 server or uninstalls existing applications as instructed. The installation and app launch are "silent" as they take place in the background.
These functions allow the Lemon Group to establish a diverse monetisation strategy that could include selling compromised accounts, generating fraudulent ad impressions, offering proxy services, hijacking network resources and SMS Phone Verified Accounts (PVA)services.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?