The Lemon Group, a large cybercrime enterprise, has installed “Guerilla” malware on approximately 9 million Android-based devices, including smartphones, watches, TVs, and TV boxes.
Techniques such as reflashing and silent installation have become prevalent in the past decade. Reflashing involves reprogramming or replacing the firmware of a device, allowing for modifications, firmware updates, or the installation of different operating systems. Initially used for device customization, threat actors later exploited these methods for malicious activities, infecting phones with unwanted apps to profit from pay-per-install schemes. In 2016, reports emerged of Triada malware being implanted in multiple devices. In 2019, Google confirmed cases where third-party vendors used original equipment manufacturer (OEM) images without notifying the OEM company. In 2021, researchers discovered the botnet and the criminal operations behind the SMS Phone Verified Accounts (PVA) mobile botnet, which exploited compromised mobile supply chains. They identified the malware responsible as Guerrilla and traced it back to a threat actor group known as the Lemon Group. Researchers observed an overlap between Guerrilla and Triada regarding communication and network flow, indicating a potential collaboration between the two groups.
Guerilla malware allows the threat actors to carry out various malicious activities, such as intercepting one-time passwords, setting up reverse proxies, hijacking WhatsApp sessions, and more. The Lemon Group was initially exposed in February 2022 and later rebranded as “Durian Cloud SMS,” but their tactics and infrastructure remained the same. The group’s main business involves utilizing big data for analysis and advertising purposes. It is unclear how Lemon Group infects devices, but possible methods include supply chain attacks, compromised software/firmware updates, or insider involvement. The malware consists of various plugins for specific functions, including intercepting SMS passwords, setting up proxies, hijacking sessions, displaying intrusive ads, and silently installing/uninstalling applications. Lemon Group’s monetization strategy includes selling compromised accounts, hijacking network resources, generating fraudulent ad impressions, and offering proxy and SMS PVA services. The impact of Lemon Group’s operations is global, with millions of infected devices spread across 180 countries, particularly in the United States, Mexico, Indonesia, Thailand, and Russia. The actual count of infected devices could be higher, as some devices have not yet communicated with the attackers’ servers. Researchers detected over 490,000 compromised mobile numbers tied to one-time password requests for various services. The extent of the Lemon Group’s operations indicates their substantial global reach. The threat actor’s activities pose a significant risk to compromised devices and legitimate users, and their malware has been spread over the past five years.
To mitigate mobile device malware risks, keep software updated, download apps from trusted sources, exercise caution with app permissions, install reputable security software, beware of phishing and malicious links, enable app verification and sandboxing, implement device encryption and strong passwords, regularly back up data, use public Wi-Fi networks cautiously or with a VPN, and stay informed about mobile threats through education and awareness. These measures help protect against known vulnerabilities, malicious apps, phishing attempts, and unauthorized access, enhancing the overall security of mobile devices and safeguarding personal information.