A cybercrime group called Lemon Group is using millions of pre-infected Android smartphones globally to carry out malicious activities, such as stealing and selling SMS messages, social media and online messaging accounts, as well as generating revenue through advertisements and click fraud.
According to a research by cybersecurity firm TrendMicro, the infections primarily affect budget Android phones, with the majority found in countries such as the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines and Argentina. The group is also expanding its operations to target other Android-based IoT devices.
The malware strain responsible for the infections is called Guerilla and has been spreading for the past five years, gaining attention for engaging in click fraud and acting as a backdoor in 2018. The malware evolved to intercept SMS messages, particularly one-time passwords, and changed its name to Durian Cloud SMS.
The objective of the group is to bypass SMS-based verification and sell bulk virtual phone numbers obtained from unsuspecting users. The findings reveal that the malware consists of multiple plugins that enable various malicious activities, including setting up reverse proxies, harvesting user data, hijacking sessions, displaying unwanted ads, and silently installing other apps.
The researchers also discovered infrastructure overlaps between Lemon Group and another mobile trojan called Triada, suggesting possible collaboration between the two groups. The unauthorized firmware modifications are suspected to have occurred through a third-party vendor involved in producing firmware components for mobile phones.
Indicators of Compromise