A malware named "Guerilla" has been pre-installed on almost 9 million Android handsets by 50 smartphone makers, smartwatches, TVs and TV boxes by a cybercrime enterprise identified as "Lemon Group". According to IT security firm Trend Micro, its researchers have discovered the money-making business and monetisation strategies built on top of the pre-infected devices marketed and sold by one of the threat actor groups we named Lemon Group.


What is Lemon Group doing with Guerilla malware


The researchers have also given an overview of how these devices were infected, the malicious plug-ins used, and the groups’ professional relationships.


"While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: Analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push.


"This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions," researchers at Trend Micro said.


Trend Micro's research was recently presented at Black Hat Asia 2023 security conference in Singapore. The malware operator behind the Guerrilla malware reportedly has similarities with the Triada trojan that was detected back in phones in 2016. However, the Triada malware was reportedly implanted into several devices, and in 2019 Google confirmed a case of OEM image being used by third-party vendors without notifying the OEM company.


"Comparing our analyzed number of devices with Lemon Group’s alleged reach of 8.9 million, it’s highly likely that more devices have been preinfected but have not exchanged communication with the C&C server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market," the researchers noted.


"Shortly after our Black Hat presentation, we noted that the page hosting these numbers of their reach was taken down. But noting our detections for this investigation alone, we were able to identify over 50 brands of mobile devices that have been infected by Guerilla malware, and one brand we’ve identified as a 'Copycat' brand of the premiere line of devices from leading mobile device companies. Following our timeline estimates, the threat actor has spread this malware over the last five years. A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users."