According to a warning from Trend Micro, a preinstalled piece of malware has given a threat actor influence over millions of cell phones scattered throughout the globe. Since many years ago, it has been known that some cell phones, especially inexpensive models, may come pre-loaded with dubious software that allows businesses or other entities access to user data. Triada, a sophisticated trojan placed on Android smartphones whose existence was discovered in 2016, was involved in one of the most well-known operations.
Trend Micro has been monitoring a separate business that seems to be connected to Triada since 2021. The cybersecurity company has identified the campaign’s organizers as Lemon Group, and the pre-installed malware on smartphones is known as Guerrilla. After Trend Micro revealed the campaign’s activities last year, the threat actor changed the name of its operation from Lemon to Durian Cloud SMS, and the campaign has been ongoing at least since then. In a new report released on Wednesday, Trend Micro said that after purchasing a phone and removing its ROM image for a forensic examination, it carried out an analysis of the Guerrilla malware.
“While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,” Trend Micro explained.
By focusing on just providing adverts to app users from specific locations, for example, Lemon Group may build on monitoring clients who may become further infected with other applications. For example, a downloader that functions as what Trend Micro refers to as an implant placed by Lemon Group activates the primary plugin, and it may then retrieve and run other plugins.
The secondary plugins can intercept SMS messages, including those containing one-time passwords for well-known services like Facebook and WhatsApp, set up a reverse proxy on infected devices, gather application data, force official apps to launch with advertisements, and send application data to third parties. These implants are often added to devices by third-party suppliers, to whom the OEM delivers the system image to include additional features instead of the OEM. The OEM is unaware of Guerrilla malware, one of the features they install.
More than 490,000 phone numbers from more than 180 countries were discovered by Trend Micro while keeping track of queries coming from devices where the Lemon and Durian SMS services were in use. The US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines, and Argentina are the top 10 nations. In addition, the security company saw that Lemon Group’s website had claimed it could reach 8.9 million devices. Still, the page with these figures had recently been deleted, suggesting the actual number of devices with malware downloaded is far higher.
Trend Micro has observed malware from the Lemon Group and comparable threat actors on smart TVs, Android TV boxes, children’s smartwatches, and other Internet of Things (IoT) items. However, its study, in this case, has centered on smartphones.