Share this article on:
Researchers at Trend Micro have uncovered a massive cyber crime campaign that has infected nearly 9 million Android-based devices with preloaded malware.
The affected hardware includes mobile phones, watches (including devices for children), set-top boxes, and televisions.
Trend Micro has been monitoring the group — which it has dubbed the Lemon Group, after the name of one of its malicious domains — since February 2022. The group has since renamed itself Durian Cloud SMS, but much of its infrastructure remains the same.
While Trend Micro has not confirmed exactly how the group is infecting devices, it has found more than 50 infected ROMs, each with malware loaders.
“We identified over 50 different images from a variety of vendors carrying initial loaders,” Trend Micro said in a blog post. “The more recent versions of the loaders use fileless techniques when downloading and injecting other payloads.”
“Comparing our analysed number of devices with Lemon Group’s alleged reach of 8.9 million, it’s highly likely that more devices have been pre-infected but have not exchanged communication with the C&C server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market,” Trend Micro said.
The preloaded malware is capable of intercepting SMSes, including specifically those that might be sharing one-time passwords from various social media apps, including Facebook, as well as setting up a reverse proxy to take advantage of the device’s network resources. It can harvest Facebook data such as friends lists and email addresses and can also hijack WhatsApp sessions to send messages of its own, in order to boost Lemon Group’s own marketing platforms.
The malware can also launch advertisements while launching official apps and is capable of silently installing further apps.
“We identified some of these businesses used for different monetisation techniques, such as heavy loading of advertisements using the silent plugins pushed to infected phones, smart TV ads, and Google Play apps with hidden advertisements,” Trend Micro explained.
“We believe that the threat actor’s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetisation scheme.”
Trend Micro also believes it is possible that the Lemon Group’s reach could extend to Android Auto.
“This widens and creates the possibility that there might be some in-car entertainment systems that are already infected,” Trend Micro said.
“However, as of this writing, we have not identified any device firmware confirmed to be infected with this specific malware payload.”
Trend Micro believes the Lemon Group could well have control of devices in over 180 countries, with the top three being the US, Mexico, and Indonesia.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.