Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise

Cyber Security Threat Summary:
Every day, numerous Android phone users worldwide unknowingly contribute to the financial gains of an organization known as the Lemon Group simply by owning their devices. What these users are unaware of is that the Lemon Group has pre-infected their phones even before they purchase them. As a result, the Lemon Group secretly exploits these devices, utilizing them to steal and sell SMS messages and one-time passwords (OTPs), display unwanted advertisements, create online messaging and social media accounts, and carry out various other activities. The Lemon Group claims that it possess a network of approximately 9 million Android devices infected with Guerrilla malware, which their customers can exploit for various purposes.

“Trend Micro's research in the Guerrilla malware campaign showed overlaps — in the command-and-control infrastructure and communications for instance — between Lemon Group's operations and that of Triada. For instance, Trend Micro found the Lemon Group implant tampering with the Zygote process and essentially becoming a part of every app on a compromised device. Also, the malware consists of a main plugin that loads multiple other plugins, each with a very specific purpose. Those include one designed to intercept SMS messages and read OTPs from platforms such as WhatsApp, Facebook, and a shopping app called JingDong. One plugin is a crucial component of a SMS phone verified account (SMS PVA) service that Lemon Group operates for its customers. SMS PVA services basically provides users with temporary or disposable phone numbers they can use for phone number verification when registering for an online service, for instance, and for receiving two-factor authentication and one-time passwords for authenticating to them later. While some use such services for privacy reasons, threat actors like Lemon Group use them to enable customers to bulk register spam accounts, create fake social media accounts, and other malicious activities” (Bleeping Computer, 2023).

The Lemon Group utilizes an additional Guerilla plugin that enables them to temporarily lease the resources of infected phones to customers. Moreover, a cookie plug integrates with Facebook-related applications on the user’s devices, primarily for ad-fraud purposes. Additionally, a WhatsApp plugin hijacks a user’s WhatsApp sessions to send unwanted messages. Another plugin facilitates the silent installation of apps that would typically require explicit permission for specific activities.

Security Officer Comments:
The presence of pre-installed malware on Android Phones is not a new issue. Various security vendors, have reported instances of malicious applications being introduced at the firmware level on Android devices. In recent years, there has been an increase in the severity of pre-installed malware on Android devices. One notable example is Triada, a Trojan that made modifications to the core Zygote process within the Android OS. Additionally, Trend Micro’s research on the Guerrilla malware campaign revealed connections between the operations of Lemon Group and Triada, such as a shared command-and-control infrastructure and communication methods. For instance, Trend Micro identified the Lemon Group implant interfering with the Zygote process, effectively integrating itself into every app on compromised devices. The malware also compromises are primary plugin that loads multiple additional plugins, each servicing a purpose. These purposes include intercepting SMS messages and extracting one-time passwords from multiple platforms.

Suggested Correction(s):
Trend Micro has published IoC’s that are related to the main plugin Sloth and are detected by Trend Micro as AndroidOS_Guerilla:

https://www.trendmicro.com/en_us/

Keep your software updated. Only 20 percent of Android devices are running the newest version and only 2.3 percent are on the latest release. Everything from your operating system to your social network apps are potential gateways for hackers to compromise your mobile device. Keeping software up to date ensures the best protection against most mobile security threats.

Choose mobile security. Just like computers, your mobile devices also need internet security. Make sure to select mobile security software from a trusted provider and keep it up to date. v Install a firewall. Most mobile phones do not come with any kind of firewall protection. Installing a firewall provides you with much stronger protection against digital threats and allows you to safeguard your online privacy.

Always use a passcode on your phone. Remember that loss or physical theft of your mobile device can also compromise your information. Download apps from official app stores.

Both the Google Play and Apple App stores vet the apps they sell; third-party app stores don’t always. Buying from well-known app stores may not ensure you never get a bad app, but it can help reduce your risk.

Always read the end-user agreement. Before installing an app, read the fine print. Grayware purveyors rely on your not reading their terms of service and allowing their malicious software onto your device.

Link(s):
https://www.darkreading.com/