A cybercrime organization known as the Lemon Group has pre-infected over 8.9 million Android devices, including smartphones, watches, televisions, and more. Trend Micro states the Guerilla malware has been preinstalled on said devices worldwide and has the potential to expand to IoT devices as well.
“We believe that the threat actor’s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme,” says Trend Micro.
Trend Micro revealed the data breach at the Black Hat Asia 2023 conference hosted in Singapore earlier this May.
“The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud,” said Trend Micro researchers at the conference.
The Guerilla malware can infiltrate a number of Android tools, including swiping passwords, intercepting one-time passwords, and interrupting messaging as well as other apps. Loads of personal data are exposable from this malware and these devices have already been sold worldwide, leaving a very confusing and frustrating trail of digital breadcrumbs for Trend Micro’s research teams.
“Our data shows that this is a continuously growing problem. We manually analyzed dozens of the stock-firmware images to confirm the presence of malicious software in these models. Further, through our telemetry data, we confirmed that there are millions of infected devices operated globally. The main cluster of these devices is in South-East Asia and Eastern Europe, however, this is a truly global problem.”
Malware can be installed via third parties hired by device manufacturers and Trend Micro is concerned it could even affect cars. Researchers have traced some of the infections to a company producing firmware components for cellular devices as well as Android Auto.
Trend Micro found “a system library called libandroid_runtime.so that was tampered to inject a snippet code into a function called println_native. This will be called when the print logs. Afterward, this injected code will decrypt a DEX file from the data section and load it into memory. This DEX file has the domain of Lemon Group, as well as the main plugin called ‘Sloth’. The DEX file has a configuration written with channel name ‘BSL001’, which possibly stands for that domain.”
Devices preinstalled with Guerilla malware can infect other devices as well. The Lemon Group is after massive amounts of data from shipments to advertising content. The malware can also infiltrate users’ social media accounts, including WhatsApp, as well as compromise the Splash Plugin with intrusive advertisements. It can even install, leaving them silently running in the background, and uninstall apps.