Millions of Android devices already contain malware before a consumer gets their hands on them. A cybercrime collective operating under the name “Lemon Group” uses the infected hardware for various criminal activities. With the so-called Guerrilla malware, the possibilities for crime are enormous.
Last week we already reported on a similar situation in which millions of smartphones are infected by a party in the production process. Again, this is Trend Micro research highlighting the malware problem.
Read also: Millions of phones already infected by malware out of the box
The majority of infected devices are said to be in Asia (55 percent), although the Americas together also account for a significant share (17 and 14 percent, respectively). It would mainly concern cheap equipment. One possible explanation for this is that manufacturers of low-cost hardware can only maintain rock bottom prices by pushing their costs down unreasonably. This allows a criminal organization to report as a legitimate provider somewhere in the production process, for example for installing firmware.
Guerrilla was already discovered in 2018 by security firm Sophos. The malware allows the Android device to communicate with a command & control center server through a backdoor. Originally, it was supposed to be a plugin that automatically clicks ads on the phone of the affected user (an ‘adclicker’ for short). In this way it generated income for the criminal organization. However, since Guerrilla can receive an update remotely, its capabilities have expanded since 2018.
The specific functions of the Guerrilla malware now differ per device, depending on what the criminals want. SMS plugins can intercept one-time passwords for WhatsApp and other communication apps. the proxy login can steal bandwidth from the user. In this case, the link can be made to ‘proxy jacking’, in which the stolen internet access is traded.
Other possibilities are the use of a cookie plugin that hijacks Facebook or WhatsApp accounts to send malicious messages. According to Trend Micro, all of these options allowed Lemon Group to establish a diverse revenue model. Aside from the illegally obtained revenue, the malware can be a headache for legitimate users. Think of wrongly connecting criminal activity to an IP address of an unsuspecting Android user or making a WhatsApp user suspicious by the illegally sent messages.
Trend Micro discovered the custom firmware in an Android phone. The ROM image showed that something was not quite right. The ‘libandroid_runtime.so’ library contained additional programming code to run a DEX file. Every Android application includes these to call the Java libraries it uses.
Trend Micro researchers had already exposed Lemon Group in February 2022, after which the criminals renamed themselves “Durian Cloud SMS”. They do not report exactly how the malware ends up on the hardware, but what kind of equipment it concerns. In addition to smartphones, the malicious parties also install malware on smartwatches, smart TVs and more. Since Android is on a huge variety of devices and more and more ‘smart devices’ are ending up in homes, the malware could potentially be installed practically anywhere (as long as it runs on Android). Since a party like Samsung is currently even building refrigerators with a modified Android variant, it is only the imagination that limits where you can see malware appear. However, in that specific case it concerns a product in a high price segment, and we can expect that a brand such as Samsung has a much better grip on the supply chain.