Millions of Android phone users around the world are contributing daily to the financial wellbeing of an outfit called the Lemon Group, merely by virtue of owning the devices.
Unbeknownst to those users, the operators of the Lemon Group have pre-infected their devices before they even bought them. Now, they’re quietly using their phones as tools for stealing and selling SMS messages and one-time passwords (OTPs), serving up unwanted ads, setting up online messaging and social media accounts, and other purposes.
Lemon Group itself has claimed it has a base of nearly 9 million Guerrilla-infected Android devices that its customers can abuse in different ways. But Trend Micro believes the actual number may be even higher.
Building a Business on Infected Devices
Lemon Group is among several cybercriminal groups that have built profitable business models around pre-infected Android devices in recent years.
Researchers from Trend Micro first began unraveling the operation when doing forensic analysis on the ROM image of an Android device infected with malware dubbed “Guerrilla.” Their investigation showed the group has infected devices belonging to Android users in 180 countries. More than 55% of the victims are in Asia, some 17% are in North America and nearly 10% in Africa. Trend Micro was able to identify more than 50 brands of — mostly inexpensive — mobile devices.
In a presentation at the just concluded Black Hat Asia 2023, and in a blog post this week, Trend Micro researchers Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares shared their insights on the threat that outfits like Lemon Group pose to Android users. They described it as a continuously growing problem that has begun touching not just Android phone users but owners of Android Smart TVs, TV boxes, Android-based entertainment systems, and even Android-based children’s watches.
“Following our timeline estimates, the threat actor has spread this malware over the last five years,” the researchers said. “A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users.”
An Old but Evolving Malware Infection Issue
The issue of Android phones being shipped with malware pre-installed on them is certainly not new. Numerous security vendors — including Trend Micro, Kaspersky, and Google — have reported over the years on bad actors introducing potentially harmful applications at the firmware layer on Android devices.
In many instances, the tampering has happened when an Android OEM, looking to add additional features to a standard Android system image, outsourced the task to a third-party. In some instances, bad actors have also managed to sneak in potentially harmful applications and malware via firmware over-the-air (FOTA) updates. A few years ago, most of the malware found preinstalled on Android devices were information stealers and ad servers.
Typically, such tampering has involved inexpensive devices from mostly unknown and smaller brands. But on occasion, devices belonging to bigger vendors and OEMs have been impacted as well. Back in 2017 for instance, Check Point reported finding as many as 37 Android device models from a large multi-national telecommunication company, pre-installed with such malware. The threat actor behind the caper added six of the malware samples to the device ROM so the user couldn’t remove them without re-flashing the devices.
Pre-Installed Malware Gets More Dangerous
In recent years, some of the malware found pre-installed on Android devices have become much more dangerous. The best example is Triada, a Trojan that modified the core Zygote process in the Android OSa. It also actively substituted system files and operated mostly in the system’s RAM, making it very hard to detect. Threat actors behind the malware used it to, among other things, intercept incoming and outgoing SMS messages for transaction verification codes, display unwanted ads and manipulate search results.
Trend Micro’s research in the Guerrilla malware campaign showed overlaps — in the command-and-control infrastructure and communications for instance — between Lemon Group’s operations and that of Triada. For instance, Trend Micro found the Lemon Group implant tampering with the Zygote process and essentially becoming a part of every app on a compromised device. Also, the malware consists of a main plugin that loads multiple other plugins, each with a very specific purpose. Those include one designed to intercept SMS messages and read OTPs from platforms such as WhatsApp, Facebook, and a shopping app called JingDong.
Plugins for Different Malicious Activities
One plugin is a crucial component of a SMS phone verified account (SMS PVA) service that Lemon Group operates for its customers. SMS PVA services basically provides users with temporary or disposable phone numbers they can use for phone number verification when registering for an online service, for instance, and for receiving two-factor authentication and one-time passwords for authenticating to them later. While some use such services for privacy reasons, threat actors like Lemon Group use them to enable customers to bulk register spam accounts, create fake social media accounts, and other malicious activities.
Another Guerrilla plugin allows Lemon Group to essentially rent out an infected phone’s resources from short periods to customers; a cookie plugin hooks to Facebook-related apps on the user’s devices for ad-fraud related uses; and a WhatsApp plugin hijacks a user’s WhatsApp sessions to send unwanted messages. Another plugin enables silent installation of apps that would require installation permission for specific activities.
“We identified some of these businesses used for different monetization techniques, such as heavy loading of advertisements using the silent plugins pushed to infected phones, smart TV ads, and Google play apps with hidden advertisements,” according to Trend Micro’s analysis. “We believe that the threat actor’s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme.”