This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide

a cybercriminal enterprise known as lemon group has exploited millions of infected Android smartphones worldwide to perform malicious operations, posing significant risks to the supply chain.

“The infection turns these devices into tools for stealing and selling mobile proxies, SMS messages, social media and online messaging accounts, or monetizing them through advertising and click fraud,” said cybersecurity firm Trend Micro. ‘ said.

The campaign compromised over 8.9 million Android devices, especially budget phones, with the majority of infections found in the United States, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. I’m here.

The findings were presented last week at the Black Hat Asia conference in Singapore by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, Paul Pajares and others.

Cybersecurity firms describe this as an ever-evolving problem, with attackers extending their reach to other Android-based IoT devices such as smart TVs, Android TV boxes, entertainment systems, and even children’s watches. said there is.

The infection has spread to more than 180 countries around the world, and more than 50 brands of mobile devices have been infected with a malware strain called Guerrilla.

“According to our timeline estimates, the attackers have been spreading this malware over the past five years,” the researchers said. “If critical infrastructure is compromised by this infection, it could prove hugely profitable for Lemon Group in the long run at the expense of legitimate users.”

Guerrilla was first documented by Sophos in 2018, discovering 15 apps uploaded to the Play Store with the ability to engage in click fraud and act as backdoors.

The malware also gained prominence in early 2022 for its ability to intercept SMS messages matching predefined characteristics, such as one-time passwords (OTPs) associated with various online platforms. Actor changed the business name from Lemon to Durian. Cloud SMS.

According to Trend Micro, the goal is to promote and sell a large number of virtual phone numbers belonging to unsuspecting users of infected Android devices in order to bypass SMS-based authentication and create online accounts. .

Although such services have privacy benefits and allow users to sign up for the service using temporary or disposable phone numbers, they can be abused to create massive spam accounts and commit fraud. There is also

A cybersecurity firm’s latest findings show that SMS retrieval is just one of many plugins associated with a downloader component (aka main plugin) that is loaded into the zygote process by a compromised library. got it.

It is worth noting that the same technique of modifying the zygote process was employed by another mobile Trojan called Triada.

“This means that whenever another app’s process forks from the fertilized egg, the fertilized egg is also tampered with,” the researchers said. “The main plugin targets the current process to load other plugins, which in turn attempt to control the current app via hooks.”

Each Guerrilla plugin offers Lemon Group actors specific business functionality and monetization opportunities. Some of them are listed below.

• A proxy plugin that allows setting up a reverse proxy from an infected mobile phone and lending out access to the affected mobile device’s network resources to other attackers
• Cookie plugins that collect your Facebook cookies and other profile information
• WhatsApp plugin that hijacks sessions and sends unwanted messages
• Splash plugins that serve deceptive ads when certain apps are launched
• A silent plugin that secretly installs APK files and launches apps

Further investigation into the sprawling operation revealed overlapping infrastructure between the Lemon Group and Triada, suggesting that the groups may have worked together at some point.

The unauthorized modification of the firmware is believed to have been made through an unnamed third-party vendor that “manufactures firmware components for mobile phones” and also manufactures similar components for Android Auto.

The disclosure, according to Microsoft security researcher Dimitrios Valsamaras, turns Android’s share targets into a vector for distributing malicious payloads and obtaining sensitive data from other apps installed on the device. It took place in detailing a new attack technique called “dirty stream”.

“The concept is similar to file upload vulnerabilities in web applications,” Valsamaras said. “More specifically, the malicious app uses a specially crafted content provider to carry the payload it sends to the target application.”

“Because the sender controls not only the content, but also the name of the stream, the receiver may overwrite important files with malicious content in case they fail to perform the required security checks. In addition, certain If the terms of this apply, the recipient may also be forced to: Copying a protected file to a public directory puts the user’s personal data at risk.”