The Growing Threat of Pre-Infected Android Devices: Lemon Group’s Guerrilla Malware Campaign
An Unknowing Contributor to Cybercrime
Millions of Android phone users worldwide, without their knowledge, are helping the Lemon Group profit through their unwitting use of pre-infected devices. The Lemon Group has pre-installed their Guerrilla malware onto these devices, turning these phones into tools for cybercrime. The company claims almost 9 million devices, but Trend Micro researchers suggest that the number could be much higher.
The Global Reach of the Threat
The Guerrilla malware has spread across 180 countries, with more than 55% of victims located in Asia. Android phone users in North America and Africa are also among those affected by this malware, which has been identified on over 50 inexpensive mobile devices, as well as Android Smart TVs, TV boxes, entertainment systems, and children’s watches. This malware has become a continuously growing problem amongst Android users.
A Major Threat to Critical Infrastructure
Currently, the Guerrilla malware serves to steal and sell SMS messages, set up online messaging and social media accounts and unwanted ads, and generate one-time passreplaces (OTPs). Lemon Group can use these infected devices in different ways to exploit their users. However, a bigger concern is the significant long-term profit that could be achieved from the compromise of critical infrastructure.
The Pre-Installed Malware Issue: A Persistent Danger
The issue of pre-installed malware on Android phones is not new. Security vendors, including Google, Trend Micro, and Kaspersky, have reported instances of harmful applications in the firmware layer of Android devices in the past. This typically happens when Android OEMs try to add additional features to a standard Android image, which is often outsourced to a third-party.
The Growing Danger of Pre-Installed Malware
Pre-installed malware has become more dangerous in recent years, such as Triada, a Trojan that modifies the core Zygote process in the Android operating system. Guerrilla malware is similar to Triada, with its command-and-control infrastructure and communications. The Guerrilla malware infects the Zygote process and becomes part of every app on a compromised device. The malware consists of a main plugin that loads multiple other plugins, each with specific purposes. One plugin is for intercepting SMS messages and OTPs from WhatsApp, Facebook, and JingDong. Other plugins allow phone numbers to be used for phone number verification, bulk registering spam accounts, generating fake social media accounts, and other malicious activities. Another plugin enables silent installation of apps that require installation permission for specific activities. These infected devices are then rented out to customers, or their resources rented for use in ad-fraud related schemes.
Editorial and Recommendations
This pre-installed malware issue demonstrates the need for better phone security and activity monitoring by Android device users. Android users must be aware of the potential risks of purchasing inexpensive devices or unknown brands. This malware is typically found on such devices because of the third-party companies hired to install additional features. In addition, Android OEMs must take greater responsibility to enforce regular firmware checks and updates. Since the Guerrilla malware spreads across different devices, it is important to note that mobile cybersecurity is cross-platform and not limited to one device. As mobile devices become fundamental for personal and business communications and transactions, developers should prioritize device security to protect users’ data and privacy.
<< photo by Bernd 📷 Dittrich >>
