An extensive cybercriminal organization, known as the "Lemon Group," has recently emerged for its large-scale dissemination of malware on thousands of Android devices. This malware, named 'Guerilla,' has been pre-installed on nearly nine million TV boxes, TVs, watches, and smartphones; all Android. The cybercriminals behind this operation employ Guerilla to carry out a range of malicious actions, including intercepting single-use passwords, hijacking the user's WhatsApp sessions, and establishing reverse proxies.
Cybersecurity company Trend Micro has released a comprehensive report exposing the criminal operations conducted by the Lemon Group. During their investigation, Trend Micro analysts discovered a connection between the Lemon Group's infrastructure and the notorious Triada Trojan campaign since the year 2016. The Triada Trojan was a malicious software specifically designed for banking fraud and was discovered to be installed pre-sale on several Android smartphones produced by budget Chinese brands.
The comprehensive report by Trend Micro provides further insights into the operational strategies employed by the Lemon Group. Although the group is involved in various ventures such as big data analysis, marketing, and advertising, their core objective revolves around harnessing the power of big data. They utilize this data to scrutinize shipments of the manufacturers, acquire intricate data for tailored promotions for software, and amass ad content sourced from diverse users. By infecting millions of Android devices, the Lemon Group effectively converts them into mobile proxies, facilitating the illicit trade of stolen SMS messages, compromised social media accounts, and active participation in fraudulent advertising schemes.
The exact methods employed by Lemon Group to infect devices remain undisclosed. However, Trend Micro clarifies that their analysts have confirmed that infected devices have undergone a process called re-flashing, where the original ROMs have been replaced with modified versions containing the Guerilla malware. The researchers identified over 50 distinct infected ROMs, targeting various Android device manufacturers.
Guerilla functions as a plugin that integrates various added plugins to carry out specific tasks. These functionalities encompass intercepting single-use passcodes sent via SMS for widely used platforms such as WhatsApp and Facebook. Another plugin sets up a reverse proxy, enabling cybercriminals to gain unauthorized access to the victim's network resources. Moreover, additional plugins specialize in pilfering Facebook cookies, hijacking the users’ WhatsApp sessions to propagate unsolicited messages, showcasing intrusive advertisements while users engage with legitimate applications, and quietly installing or deleting apps as the malware directs.
The global reach of Lemon Group's malicious operations has been significant, causing widespread impact. Trend Micro's investigation uncovered that Lemon Group boasted control over around nine million Android devices scattered throughout the globe. Among the countries most heavily affected are the U.S., Indonesia, Mexico, Russia, and Thailand. However, the accurate number of Android devices infected with Guerilla malware is suspected to be higher since some devices have yet to establish connections with the attackers' command and control servers.
Through vigilant monitoring of the Lemon Group's activities, cybersecurity experts from Trend Micro have uncovered a shocking revelation. They have identified a staggering total of more than 490K mobile numbers that are connected to requests for one-time passwords used in SMS-based services like JingDong, WhatsApp, QQ, Line, Facebook, and Tinder. This vast number of compromised devices, all linked to a single service, serves as a striking testament to the worldwide impact and scale of the cybercriminal syndicate's malicious endeavors.
Trend Micro has sought additional information from Lemon Group regarding the sources of the pre-infected devices, the channels through which they are sold, and the specific brands affected. However, a response from Lemon Group has not been received at the time of this report.
Read next: Study Reveals the Impact of Connectivity Issues on App Usage and Retention
Cybersecurity company Trend Micro has released a comprehensive report exposing the criminal operations conducted by the Lemon Group. During their investigation, Trend Micro analysts discovered a connection between the Lemon Group's infrastructure and the notorious Triada Trojan campaign since the year 2016. The Triada Trojan was a malicious software specifically designed for banking fraud and was discovered to be installed pre-sale on several Android smartphones produced by budget Chinese brands.
The comprehensive report by Trend Micro provides further insights into the operational strategies employed by the Lemon Group. Although the group is involved in various ventures such as big data analysis, marketing, and advertising, their core objective revolves around harnessing the power of big data. They utilize this data to scrutinize shipments of the manufacturers, acquire intricate data for tailored promotions for software, and amass ad content sourced from diverse users. By infecting millions of Android devices, the Lemon Group effectively converts them into mobile proxies, facilitating the illicit trade of stolen SMS messages, compromised social media accounts, and active participation in fraudulent advertising schemes.
The exact methods employed by Lemon Group to infect devices remain undisclosed. However, Trend Micro clarifies that their analysts have confirmed that infected devices have undergone a process called re-flashing, where the original ROMs have been replaced with modified versions containing the Guerilla malware. The researchers identified over 50 distinct infected ROMs, targeting various Android device manufacturers.
Guerilla functions as a plugin that integrates various added plugins to carry out specific tasks. These functionalities encompass intercepting single-use passcodes sent via SMS for widely used platforms such as WhatsApp and Facebook. Another plugin sets up a reverse proxy, enabling cybercriminals to gain unauthorized access to the victim's network resources. Moreover, additional plugins specialize in pilfering Facebook cookies, hijacking the users’ WhatsApp sessions to propagate unsolicited messages, showcasing intrusive advertisements while users engage with legitimate applications, and quietly installing or deleting apps as the malware directs.
The global reach of Lemon Group's malicious operations has been significant, causing widespread impact. Trend Micro's investigation uncovered that Lemon Group boasted control over around nine million Android devices scattered throughout the globe. Among the countries most heavily affected are the U.S., Indonesia, Mexico, Russia, and Thailand. However, the accurate number of Android devices infected with Guerilla malware is suspected to be higher since some devices have yet to establish connections with the attackers' command and control servers.
Through vigilant monitoring of the Lemon Group's activities, cybersecurity experts from Trend Micro have uncovered a shocking revelation. They have identified a staggering total of more than 490K mobile numbers that are connected to requests for one-time passwords used in SMS-based services like JingDong, WhatsApp, QQ, Line, Facebook, and Tinder. This vast number of compromised devices, all linked to a single service, serves as a striking testament to the worldwide impact and scale of the cybercriminal syndicate's malicious endeavors.
Trend Micro has sought additional information from Lemon Group regarding the sources of the pre-infected devices, the channels through which they are sold, and the specific brands affected. However, a response from Lemon Group has not been received at the time of this report.
Read next: Study Reveals the Impact of Connectivity Issues on App Usage and Retention