Millions of Smartphones Distributed Worldwide With Preinstalled ‘Guerrilla’ Malware

A threat actor has control over millions of smartphones distributed worldwide thanks to a piece of malware that has been preinstalled on the devices, Trend Micro warned.

It has been known for several years that smartphones, particularly budget devices, may be shipped with shady firmware that can give companies or other entities access to user data. One of the best known operations involved Triada, an advanced trojan installed on Android devices whose existence came to light in 2016. 

Since 2021, Trend Micro has been tracking a different operation that appears to be linked to Triada. The group behind the campaign is tracked by the cybersecurity firm as Lemon Group and the malware preloaded on devices is called Guerrilla. 

The campaign has been active since at least 2018, with the threat actor changing the name of its operation from Lemon to Durian Cloud SMS after Trend Micro detailed its operations last year.

In a new report published on Wednesday, Trend Micro said it conducted an analysis of the Guerrilla malware after acquiring a phone and extracting its ROM image for a forensic investigation. 

“While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,” Trend Micro explained. 

“This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions,” it added.

Advertisement. Scroll to continue reading.

An implant planted by Lemon Group loads a downloader that serves as what Trend Micro calls the main plugin, which in turn can fetch and run other plugins. 

The secondary plugins can be used to capture SMS messages (including ones containing one-time passwords for popular services such as WhatsApp and Facebook), set up a reverse proxy on infected phones, harvest application data, hijack applications such as WhatsApp…