The Lemon Group cybercrime gang managed to pre-install the malware known as Guerrilla on an estimated 8.9 million Android-based smartphones, smart watches, TVs and TV boxes worldwide, according to Trend Micro. According to the cybersecurity company, the malware can carry additional payloads, intercept SMS one-time passwords (OTPs), set up a reverse proxy of the infected device and infiltrate WhatsApp sessions.
“The infection turns these devices into mobile proxies, tools to steal and sell SMS messages, social media and online messaging accounts, and monetization through ad and click fraud,” Trend Micro researchers said in a report presented at the BlackHat Asia conference. last week.
Infected devices were distributed globally, with the malware installed on devices shipped to over 180 countries, including the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines and Argentina.
Installation of malware onto Android devices can occur when third parties are hired by device manufacturers to enhance default system images. In its review of Guerilla, Trend Micro noted that a company that makes firmware components for cell phones also makes similar components for Android Auto, a mobile app similar to an Android smartphone used in in-dash infotainment units. . This magnifies and creates the possibility that some vehicular entertainment systems are already infected,” Trend Micro said in the report.
The cybersecurity firm began analyzing Guerrilla after monitoring reports of smartphones compromised with the malware. Researchers purchased an infected cell phone and extracted the ROM (read only memory) image for forensic analysis. “We found a system library called libandroid_runtime.so that was tampered with to inject a snippet of code into a function called println_native,” Trend Micro said in the report.
The injected code decrypts a DEX file — the file format used by the Android operating system to execute bytecode — from the device’s data section and loads it into memory. The file is executed by the Android Runtime to activate the main plug-in used by attackers, called Sloth, and provides its configuration, which contains a Lemon Group domain used for communications.
Lemon Group’s core business involves the use of big data and analysis of large amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times and the hardware data with detailed software push”, said Trend Micro. This allows the group to monitor clients that may be infected by other applications.
“We believe that the group’s operations may also involve stealing information from the infected device to be used in collecting big data before selling it to other threat operators as another post-infection monetization scheme,” Trend Micro said.
Lemon Group was first identified in February last year, after it changed its name to Durian Cloud SMS. However, the group’s infrastructure and tactics remained unchanged.
Source: CisoAdvisor
