Cybercriminals Pre-Install Guerrilla Malware on Millions of Android Devices

Published on: May 19, 2023
Last Updated: May 19, 2023

Cybercriminals Pre-Install Guerrilla Malware on Millions of Android Devices

Published on: May 19, 2023
Last Updated: May 19, 2023

According to recent reports, the Lemon Group, a prominent cybercrime organization, has been found to have installed malicious software called ‘Guerilla’ on approximately 9 million devices, including Android-based smartphones, watches, TVs, and TV boxes.

Guerilla, the malware utilized by these threat actors, serves various malicious purposes.

It enables the loading of additional harmful software onto the infected devices, intercepts one-time passwords sent via SMS, establishes a reverse proxy on the compromised device, and even hijacks WhatsApp sessions, among other malicious activities.

Trend Micro, a leading cybersecurity firm, uncovered this extensive criminal enterprise and presented its findings at the recent BlackHat Asia conference.

Their analysts have identified significant overlaps between the Lemon Group’s infrastructure and the infamous Triada trojan operation that emerged in 2016.

While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,” explained Trend Micro.

This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions,” it added.

The Guerrilla malware employs various plugins for specific functions.

The SMS Plugin intercepts one-time passwords for WhatsApp, JingDong, and Facebook.

The Proxy Plugin establishes a reverse proxy on infected devices, granting attackers access to the victim’s network resources.

The Cookie Plugin extracts Facebook cookies and hijacks WhatsApp sessions.

The Splash Plugin displays intrusive advertisements during app usage.

The Silent Plugin silently installs or uninstalls APKs from the C2 server.

The operation involves a staggering number of 8.9 million compromised Android devices, primarily targeting affordable smartphones.

The highest number of infections was found in the United States, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Husain Parvez

Husain has been around the internet ever since the dial-up days and loves writing about everything across the technosphere. He loves reviewing tech, writing about VPNs, and covering Cybersecurity news.