Go to listing page

Guerrilla Campaign: Lemon Group’s Business of Pre-infected Devices

Guerrilla Campaign: Lemon Group’s Business of Pre-infected Devices
A threat actor gained control over millions of smartphones distributed around the world via preinstalled malware. According to Trend Micro, actors behind the campaign are known as Lemon Group, and they preloaded Guerrilla malware on the devices.

The Lemon Group’s campaign

The campaign has been active since 2018, and the attacker changed the name of its operation from Lemon to Durian Cloud SMS after Trend Micro detailed its operations last year
  • Lemon Group conducts business for marketing and advertising companies and utilizes big data.
  • This enables the threat actor to monitor customers who can be infected with other apps to build on such as displaying advertisements to app users from specific regions.
  • The security firm analyzed the Guerrilla malware by acquiring a phone and extracting its ROM image.

Who are the victims?

Trend Micro found over 490,000 active services from Durian Cloud SMS across 180 countries, with the top 10 being Mexico, the U.S., Indonesia, Russia, South Africa, Thailand, India, the Philippines, Argentina, and Angola.

Use of plugins

Durian Cloud SMS uses an implant that loads a downloader, which serves as the main plugin for fetching and running other plugins.
  • The secondary plugins capture SMS messages (OTPs for WhatsApp/Facebook) and set up a reverse proxy.
  • Furthermore, it collects application data, delivers ads when launching official apps, and hijacks WhatsApp to send messages.

Conclusion

The large-scale infection can be profitable for Durian Cloud SMS in the long run, as it could compromise critical infrastructure. This also highlights the risk to users' privacy posed by copycat brands of premium devices. To mitigate this risk, users should always purchase smartphones from genuine brands instead of copycats.
Cyware Publisher

Publisher

Cyware