Lemon Group, a cybercrime organization, is exploiting millions of already infected Android smartphones worldwide, posing significant risks to the supply chain. According to Trend Micro, the group utilizes these devices as mobile proxies to carry out various malicious activities, including stealing and selling SMS messages, social media, and online messaging accounts and generating revenue through advertisements and click fraud.
The cybersecurity firm has highlighted the scope of the operation, with approximately 8.9 million compromised Android devices, primarily budget phones, detected in countries such as the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.
Researchers presented findings on the issue during the recent Black Hat Asia conference in Singapore. Lemon Group is not limited to smartphones but is expanding its target to other Android-based IoT devices, including Smart TVs, Android TV boxes, entertainment systems, and children’s watches.
The infections are widespread, spanning over 180 countries and impacting over 50 mobile device brands. The malware strain responsible for the compromise is called Guerilla. Its deployment by Lemon Group has been ongoing for the past five years. The threat actors behind the operation aim to exploit this malware to generate significant profits at the expense of legitimate users, particularly by compromising critical infrastructure.
Initially, Guerilla malware was discovered by Sophos in 2018 when 15 apps on the Play Store engaged in click fraud and served as a backdoor. In early 2022, the malware gained attention for its ability to obstruct SMS messages, specifically those containing one-time passwords (OTPs) used for online platforms. Lemon Group later rebranded its operation to Durian Cloud SMS.
The ultimate goal is to bypass SMS-based verification and sell bulk virtual phone numbers associated with unsuspecting users of infected Android devices, enabling the creation of fraudulent online accounts. While temporary phone numbers have legitimate uses for privacy, they can also aid in spamming and fraudulent activities.
Further analysis reveals that Guerilla consists of multiple plugins, with a downloader component as the main plugin. This main plugin is loaded into a zygote process through a tampered library, modifying the process for subsequent app forks. The other Guerilla plugins serve different purposes, each providing a business function and monetization opportunity for The Lemon Group. These include
- a proxy plugin for renting out access to network resources,
- a cookie plugin for harvesting Facebook cookies and profile information,
- a WhatsApp plugin for session hijacking and sending unwanted messages,
- a splash plugin for displaying unwanted ads, and
- a silent plugin for stealthily installing APK files and launching apps.
Investigations have uncovered infrastructure overlaps between Lemon Group and Triada, suggesting a potential collaboration between the two groups at some point. Unauthorized firmware modifications could have occurred through a third-party vendor responsible for producing firmware components for mobile phones and similar Android Auto components.
In related news, a Microsoft security researcher named Dimitrios Valsamaras recently disclosed a new attack method called Dirty Stream. This method leverages Android share targets to distribute malicious payloads and capture sensitive data from other installed apps. By exploiting vulnerabilities in content providers, a malicious app can overwrite critical files or force the copying of protected files to public directories, potentially compromising the user’s private data.