A cybercrime company known as Lemon Group leverage millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks.
“Infections turn these devices into mobile proxies, tools for stealing and selling SMS messages, social media accounts and online messaging, and monetization through advertising and click fraud,” cybersecurity firm Trend Micro said.
This activity included no less than 8.9 million compromised Android devices, primarily low-cost phones, with the majority of infections found in the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines and Argentina.
The find served by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week.
Describe it as growing problemthe cybersecurity firm says threat actors are branching out into other Android-based IoT devices such as Smart TVs, Android TV boxes, entertainment systems and even children’s watches.
The infection spread globally in more than 180 countries, with more than 50 brands of mobile devices being compromised by a type of malware called Guerilla.
“Following our time estimates, threat actors have been spreading this malware for the last five years,” the researchers said. “Compromising significant critical infrastructure with this infection is likely to result in significant benefits for the Lemon Group in the long term at the expense of legitimate users.”
Guerrilla first documented beforehand by Sophos in 2018 when it found 15 apps uploaded on the Play Store that retained functionality to engage in click fraud and act as a backdoor.
The malware also attracted attention in early 2022 for its ability to intercept SMS messages matching predefined characteristics such as one-time passwords (OTP) associated with various online platforms, shortly after which attackers changed the business name from Lemon to Durian. Cloud SMS.
The goal, per Trend Micro, is to bypass SMS-based verification and advertise mass virtual phone numbers – belonging to users of infected Android handsets – for sale in order to set up accounts online.
While these services have privacy advantages, allowing users to sign up for the service using temporary or disposable phone numbers, they can also be abused to create spam accounts on a large scale and commit fraud.
Recent findings from the cybersecurity firm illustrate that the SMS grabbing feature is just one of the many plugins associated with the downloader component (aka the main plugin) loaded into zygote process through the tampered library.
“With this, whenever another application process branches off from the zygote, that too will be damaged,” the researchers said. “The main plugin will load another plugin with the current process being the target, and the other plugin will try to control the current application via a hook.”
Each Guerilla plugin serves a specific business function and monetization opportunity for Lemon Group actors. Some of them are listed below –
- Proxy plugin to set up a reverse proxy of the infected phone and allow other actors to lease access to the affected mobile device’s network resources
- Cookie plugin to harvest user’s Facebook cookies and other profile information
- WhatsApp plugin to hijack sessions and send unwanted messages
- Splash plugin for serving unreasonable ads when launching certain applications, and
- Silent plugin to silently install APK files and launch apps
Further investigation into the sprawling operations has revealed overlapping infrastructure with Lemon Group and Triada, suggesting that the two groups may have collaborated at some point.
Unauthorized firmware modifications are believed to have occurred through an unnamed third-party vendor who “produces firmware components for mobile phones” and who also manufactures similar components for Android Auto.
The revelations come as Microsoft security researcher Dimitrios Valsamaras details a new attack method dubbed Dirty Stream that changes Android share targets become a vector for distributing malicious payloads and capturing sensitive data from other applications installed on the device.
“The concept is similar to the file upload vulnerability from a web application,” Valsamaras said. “More specifically, a malicious application uses a specially crafted content provider to shoulder the payload it delivers to the target application.”
“Because the sender controls the content but also the stream name, the recipient can overwrite important files with malicious content if they don’t perform some necessary security checks. In addition, when certain conditions apply, the recipient can also be forced to copy protected files to the public directory, setting data the user’s privacy is at risk.”