A cybercrime group called Lemon Group is using millions of pre-infected Android smartphones globally to carry out malicious activities, such as stealing and selling SMS messages, social media and online messaging accounts, as well as generating revenue through advertisements and click fraud.

image

According to a research by cybersecurity firm TrendMicro, the infections primarily affect budget Android phones, with the majority found in countries such as the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines and Argentina. The group is also expanding its operations to target other Android-based IoT devices.

image

The malware strain responsible for the infections is called Guerilla and has been spreading for the past five years, gaining attention for engaging in click fraud and acting as a backdoor in 2018. The malware evolved to intercept SMS messages, particularly one-time passwords, and changed its name to Durian Cloud SMS.

The objective of the group is to bypass SMS-based verification and sell bulk virtual phone numbers obtained from unsuspecting users. The findings reveal that the malware consists of multiple plugins that enable various malicious activities, including setting up reverse proxies, harvesting user data, hijacking sessions, displaying unwanted ads, and silently installing other apps.

The researchers also discovered infrastructure overlaps between Lemon Group and another mobile trojan called Triada, suggesting possible collaboration between the two groups. The unauthorized firmware modifications are suspected to have occurred through a third-party vendor involved in producing firmware components for mobile phones.


Indicators of Compromise

SHA
f43bb33f847486bb0989aa9d4ce427a10f24bf7dcacd68036eef11c82f77d61d
e650336f4b5ba1e30cb3e9c5545dac715346c97641b72adff419474925835a43
3ddc3bd64db1e36976b8a1c9053e81ceb734b43c21a943c15a8e750b3b88f4e8
1b1239af5652b168cfab49ada2f31d77554e7e8c12ec29ca5bbbbea360dd5dd4
6fe61f3e68e73e543de35605bbb46624111af96dc7911f86d00b3760d7688afb
dcb29a49fc12336555f7ce8332663e3693956917de850522c670b9f96a29210d
2da981e50267791b195e1196735d680d4aa1498340320c86f8c4bb628ece6cc9
6fe61f3e68e73e543de35605bbb46624111af96dc7911f86d00b3760d7688afb
e4d1026fc527f0e1c1175e15b953c2cef6f994565c5e0385055fb617b60d6a98
68cdef672077cd1c70e0293c449f475cf234d032f2050f4dbc03fc0328846948
eee2e726eef0e5673176d38da27f40089f34b90916acf8b4f12ae4ac364d2c84
bc48a29eff1345236d6f10d15a340b66f2582bf0337707c6f7e3aaa5202a0f19