Cybercrime gang Lemon Group has managed to get malware known as Guerrilla preinstalled on about 8.9 million Android-based smartphones, watches, TVs, and TV boxes globally, according to Trend Micro.
The Guerilla malware can load additional payloads, intercept one-time passwords (OTPs) from SMS texts, set up a reverse proxy from the infected device, and infiltrate WhatsApp sessions.
"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetisation via advertisements and click fraud," Trend Micro researchers said in a report presented at the BlackHat Asia conference this week.
The infected devices have been distributed globally, with the malware installed on devices that have been shipped to more than 180 countries including the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines, and Argentina.
Third parties preinstall malware on Android devices
The installation of malware on Android devices can occur when third parties are hired by Android device manufacturers to enhance standard system images. In its analysis of Guerilla, Trend Micro noted that a company that produces the firmware components for mobile phones also produces similar components for Android Auto, a mobile app similar to an Android smartphone used on vehicles’ dashboard information and entertainment units.
“This widens and creates the possibility that there might be some in-car entertainment systems that are already infected,” Trend Micro said in the research.
Trend Micro began its analysis of Guerrilla after monitoring reports of phones that were compromised with the malware. Researchers purchased an infected phone and extracted the ROM image for forensic analysis. “We found a system library called libandroid_runtime.so that was tampered to inject a snippet code into a function called println_native,” Trend Micro said in its report.
The injected code will decrypt a DEX file — a file format used by the Android operating system for executing bytecode — from the data section of the device and load it into memory. The file is executed by Android Runtime to activate the main plugin used by the attackers, called Sloth, and provides its configuration, which contains a Lemon Group domain used for communications.
The main business of the Lemon Group involves the utilisation of big data, “analysing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,” Trend Micro said. This allows Lemon Group to monitor customers that can be further infected with other apps.
“We believe that the threat actor’s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetisation scheme,” Trend Micro said.
Functions of Lemon Group's Guerilla malware
The main plugin for the Guerrilla malware loads additional plugins that are dedicated to carrying out specific functions: SMS Plugin intercepts one-time passwords for WhatsApp, JingDong, and Facebook received via SMS; Proxy Plugin sets up a reverse proxy from the infected phone, allowing the attackers to utilise the victim's network resources; Cookie Plugin takes Facebook cookies from the app data directory and exfiltrates them to the C2 server. It also hijacks WhatsApp sessions to disseminate unwanted messages from the compromised device.
The malware also comprises Splash Plugin, which displays intrusive advertisements to the victims when they are using legitimate applications, and Silent Plugin, which installs additional APKs (Android Package Kits) received from the C2 server, or uninstalls existing applications, as instructed. The installation and app launch are silent in the sense that they take place in the background, Trend Micro said.
Links to Triada Trojan
Some of the attackers' infrastructure overlaps with the Triada Trojan operation from 2016.
Triada is a banking trojan that was found preinstalled on 42 Android smartphone models from low-cost Chinese brands. "We believe these two groups worked together at some point as we observed some overlap of their CC server infrastructure,” Trend Micro said.
The Lemon Group was first identified in February 2022, after which the group rebranded under the name Durian Cloud SMS. However, the attackers' infrastructure and tactics remained unchanged.