Millions of Android devices already contain malware before the consumer gets it. A cybercrime collective operating under the name “Lemon Group” uses infected devices for various criminal activities. With the so-called Guerrilla malware, the crime possibilities are enormous.
Last week we already reported a similar situation in which millions of smartphones were infected by a party in the production process. Again, this is research from Trend Micro that highlights the malware issue.
Read also: Millions of phones are already infected with malware out of the box
The majority of infected devices are said to be in Asia (55 percent), although the Americas together also account for a large share (17 and 14 percent, respectively). It mainly concerns cheap equipment. One possible explanation for this is that manufacturers of low-cost devices can only keep prices so low by unreasonably cutting their costs. This allows a criminal organization to flag as a legitimate provider somewhere in the production process, for example to install firmware.
Guerrilla malware
Guerrilla was actually discovered in 2018 by the security company Sophos. Malware allows an Android device to connect to a command and control center server through a backdoor. Originally, it was supposed to be a plugin that automatically clicks ads on the affected user’s phone (adclicker for short). In this way, he generates income for the criminal organization. However, since Guerrilla can receive a remote update, its capabilities have expanded since 2018.
The specific functionality of Guerrilla malware now varies by device, depending on what the criminals want. SMS plugins can intercept one-time passwords for WhatsApp and other communication applications. Proxy login can steal bandwidth from the user. In this case, the link can be made for “proxy jacking”, trading access to the stolen Internet.
Other possibilities are using a cookie plugin that hijackes Facebook or WhatsApp accounts to send malicious messages. According to Trend Micro, all of these options have allowed Lemon Group to create a diversified revenue model. Aside from illegally obtained profits, malware can also be a problem for legitimate users. Think wrongly associating criminal activity with an unsuspecting Android user’s IP address or making a WhatsApp user suspicious through illegally sent messages.
Not convincing
Trend Micro has detected custom firmware in your Android phone. The ROM image showed that something wasn’t quite right. The ‘libandroid_runtime.so’ library contained additional scripting code to run the DEX file. Every Android app includes these to call the Java libraries it uses.
Trend Micro researchers had already exposed the Lemon Group in February 2022, after which the criminals renamed themselves “Durian Cloud SMS”. They don’t say exactly how the malware ends up on the devices, but what kind of equipment they mean. In addition to smartphones, malicious parties also install malware on smartwatches, smart TVs, and more. As Android runs on a large variety of devices and more and more “smart devices” end up in homes, malware can potentially be installed practically anywhere (as long as it’s running on Android). With a party like Samsung currently building refrigerators with a modified Android variant, only imagination limits where the malware can turn out. However, in this specific case, it is about a product in a higher price segment, and we can expect that a brand like Samsung has better control over the supply chain.
“Thinker. Coffeeaholic. Award-winning gamer. Web trailblazer. Pop culture scholar. Beer guru. Food specialist.”
More Stories
Stylish and good for more beautiful photos
Sony promises thick sound from thin speakers in its new home cinema lineup
Print digital photos yourself: why and how?