Lemon Group gang pre-infected 9 million Android devices for fraudulent activities

The Lemon Group cybercrime ring has reportedly pre-installed malware known as Guerilla on almost 9 million Android devices.

A cybercrime group tracked has Lemon Group has reportedly pre-installed malware known as Guerilla on almost 9 million Android devices. Infected devices were used for multiple malicious activities, including traffic redirections through mobile proxies, info-stealing, click fraud, and social media and online messaging accounts and monetization via advertisements.

The network of compromised devices was discovered by Trend Micro which shared details of its investigation at the Black Hat Asia 2023 conference in May.

The threat actors infected at least 8.9 million compromised Android devices, most of them are budget phones. The highest number of infected devices in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.

The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab that considered it the most advanced mobile threat seen to the date of the discovery.

Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.

The only way to remove the threat is to wipe the smartphone and reinstall the OS.

In March 2018, security researchers at Antivirus firm Dr. Web discovered that 42 models of low-cost Android smartphones are shipped with the Android.Triada.231 banking malware.

“We identified the malware as Guerrilla and deployed by the threat actor group we named “Lemon Group” based on the URLs of their customer-facing pages (the group has since changed their website URLs after Trend Micro’s first reports on the SMS PVA botnet campaign).” reads the analysis published by Trend Micro. “We identified the infrastructure of their backend, including the malicious plugins and command and control (C&C) servers, and observed an overlap: the Guerrilla malware’s exchange with that of the Triada operators’ communication and/or network flow.”

The overlap suggests that the two groups likely collaborated at some point.

The researchers first uncovered the operation of the Lemon Group in February 2022. Soon after the security firm published a report on the group, the gang rebranded under the name ‘Durian Cloud SMS’, but maintained the C2 infrastructure.

Following the reports of Android devices being compromised by Guerrilla malware, the experts purchased a phone and conducted a forensic analysis on the extracted ROM image. The experts discovered a system library called libandroid_runtime.so that was tampered to inject a snippet code into a function called println_native. The function is called when the print logs. Then the injected code will decrypt a DEX file from the data section and load it into memory. The domain used by the DEX file belongs to the Lemon Group (js***[.]big******[.]com), as well as the main plugin called “Sloth.”

“The implant is a tampered zygote dependency library that will load a downloader into a zygote process. The loaded downloader (we called main plugin) can download and run other plugins. With this, every time other app processes are forked from the zygote, it would also be tampered.” continues the report. “The main plugin will load other plugins with the current process being the target, and the other plugins will try to control the current app via a hook. The Lemon Group’s method is similar to Xposed framework development, with both modified zygote processes to implement global process injection.”

The Guerrilla malware has a modular structure, each plugin was designed to support a specific feature, including:

• SMS Plugin: Intercepts one-time passwords sent via SMS. It targets various platforms, including WhatsApp, JingDong, and Facebook.
• Proxy Plugin and proxy seller: To set up reverse proxy from an infected phone and use the network resources of the affected mobile device in exchange for their DoveProxy business.
• Cookie plugin/WhatsApp plugin/Send plugin: The plugin hooks to Facebook-related apps and intercepts specific activities to launch events. The plugin also hijacks WhatsApp sessions to send unwanted messages.
• Splash Plugin: Hook popular apps to intercept specific activities such as launching event request ads from advertisements. It will launch intrusive advertisements when victims are using legitimate applications.
• Silent Plugin: This plugin executes the silent installation and launches the installed app.

The experts speculate the attack vector employed by the Lemon Group is a supply chain attack. Threat actors compromised third-party software or the installation of malware-laced firmware.

The Lemon Group focuses on the utilization of big data gathered from compromised devices to monitor customers that can be further infected with other malicious payloads crafted for specific fraudulent activities, such as showing advertisements to app users from certain regions.

“We identified over 50 different images from a variety of vendors carrying initial loaders. The more recent versions of the loaders use fileless techniques when downloading and injecting other payloads. With this latest development, public repositories for threat intelligence do not list these updated loaders and the forensic analysis of such devices and images have become significantly harder.” concludes the report. “Comparing our analyzed number of devices with Lemon Group’s alleged reach of 8.9 million, it’s highly likely that more devices have been preinfected but have not exchanged communication with the C&C server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market. Shortly after our Black Hat presentation, we noted that the page hosting these numbers of their reach was taken down.”

The report also includes indicators of compromise for this threat.

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lemon Group)