Nearly 9 million Android-based smartphones, watches, TVs, and TV boxes have been infected with the “Guerrilla” malware, pre-installed on the devices by Lemon Group. The threat actors use the malware to load additional payloads, intercept one-time passwords from SMS, set up reverse proxy from the infected device, hijack WhatsApp sessions, and more.
Cybersecurity researchers identified over 50 different ROMs infected with initial malware loaders. The infection turns the devices infected into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts, and monetization via advertisements and click fraud.
Supply chain attacks, hacked third-party software, a hacked firmware update procedure, or hiring insiders in the supply or manufacturing chain are all potential ways to accomplish this vulnerability.
The Guerrilla Malware Explained
The main plugin for the Guerrilla malware loads additional plugins that are dedicated to carrying out specific functionality, including:
- SMS Plugin: intercepts SMS-delivered one-time passwords for Facebook, JingDong, and WhatsApp;
- Cookie Plugin: exfiltrates Facebook cookies to the C2 server after dumping them from the app data directory. In order to spread undesired messages from the hacked device, it also hijacks WhatsApp sessions;
- Proxy Plugin: uses the infected phone to set up a reverse proxy, allowing the attackers to use the victim’s network resources;
- Splash Plugin: sometimes users of legitimate applications are shown obtrusive adverts;
- Silent Plugin: installs additional APKs obtained from the C2 server or, when directed, removes the existing programs. The fact that the installation and program launch happen in the background makes them “silent” processes.
With the help of these features, the Lemon Group can create a varied monetization strategy that may include the sale of compromised accounts, the appropriation of network resources, the provision of app installation services, the production of phony ad impressions, the provision of proxy services, and the provision of SMS Phone Verified Accounts (PVA) services.
Devices Affected Worldwide
According to BleepingComputer, the threat actors claimed on their service-offering site to control nearly 9 million devices spread across 180 countries. The countries which were the most impacted include the United States, Mexico, Indonesia, Thailand, and Russia.
The biggest percentage of infected devices are in Asia (55.26%), North America (16.93%), South America (13.96%). Almost 10% of the devices are present in Africa and 4% in Europe (with a big concentration in Eastern Europe).
The number of devices infected might actually be even larger, however, those devices have not yet communicated with the attackers’ command and control center, as they are still awaiting purchase.
Over 490,000 cell phones were found to be being utilized to generate one-time password requests for SMS PVA services from JingDong, WhatsApp, Facebook, QQ, Line, Tinder, and other platforms by the analysts who were watching the operation. The discovery of more than 500,000 hacked devices connected to just one service provided by this cybercrime ring indicates a substantial global reach of their criminal activities.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.