Hacker Group Infected Over 9 Million Android-based Devices

The Lemon Group, a prominent cybercrime organization, has planted the ‘Guerilla’ malware on nearly 9 million Android devices, enabling them to execute various malicious activities. 

While among all the illicit activities here, we have mentioned the key ones:-

  • Intercepting SMS passwords
  • Establishing reverse proxies
  • Hijacking WhatsApp sessions

A recent Trend Micro report revealed that certain elements of the attackers’ infrastructure exhibit similarities with the Triada trojan operation in 2016, suggesting a potential connection between the two incidents.

Triada was discovered pre-installed in 42 Android smartphone models manufactured by budget-friendly Chinese brands with a global market presence, posing a significant security risk to users.

Deployment of malware

Cybersecurity researchers at Trend Micro identified over 50 infected ROMs used by the Lemon Group to load initial malware loaders onto devices. However, the specific method of infecting devices with malicious firmware remains undisclosed.

Trend Micro suggests that the compromise of devices by the Lemon Group could occur through various means such as:-

While beside this, the maliciously modified firmware of Lemon Group was identified by purchasing an Android phone and extracting its “ROM image.”

The modified system library ‘libandroid_runtime.so’ on the device decrypts and executes a DEX file, which activates the attackers’ main plugin, “Sloth,” and establishes communication using a Lemon Group domain specified in its configuration.

Guerilla’s plugins

The Guerrilla malware’s primary plugin is responsible for loading specialized plugins designed for specific functions, encompassing a range of capabilities.

So, here below, we have mentioned all the additional plugins that are used by the Guerilla and also mentioned their capabilities as well:-

  • SMS Plugin: The OTPs for WhatsApp, JingDong, and Facebook that are SMS-based are intercepted by this plugin.
  • Proxy Plugin: Infected phones can be converted into reverse proxy servers, and their DoveProxy business can be conducted through them.
  • Cookie Plugin: It extracts Facebook cookies and sends them to the command-and-control (C2) server while taking control of WhatsApp sessions, and then from the compromised device, distributes unwanted messages.
  • Splash Plugin: The victim is displayed with intrusive advertisements when legitimate applications are used.
  • Silent Plugin: Upon receiving command-and-control (C&C) tasks, the plugin responsible for installation permissions carries out silent installations and launches the corresponding apps, utilizing apk metadata and specified actions like install and uninstall.

Countries Affected

The threat actor, who has control over devices in over 180 countries, has spread the infection globally, as revealed through tracking indicators.

Here below, we have mentioned the top 10 countries that are affected:-

  • US
  • Mexico
  • Indonesia
  • Thailand
  • Russia
  • South Africa
  • India
  • Angola
  • Philippines
  • Argentina

The true number of Android devices affected by the Guerrilla malware is potentially more significant than the reported count, indicating a broader scope of infection than initially estimated.

While apart from this, it has been identified that for generating OTP requests for SMS PVA services across various platforms, more than 490,000 mobile numbers were used.

This cybercrime syndicate’s single service has identified over 500,000 compromised devices, highlighting their extensive global presence.

Their malicious operations demonstrate a significant reach, impacting numerous locations worldwide.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.