Massive Android Preloaded Malware Campaign Discovered Affecting Millions
Trend Micro researchers have uncovered a massive cybercrime campaign that has infected nearly 9 million Android-based devices with preloaded malware.
Affected hardware includes mobile phones, watches (including children’s devices), set-top boxes, and televisions.
Trend Micro has been monitoring the group, which it has named Lemon Group, after the name of one of its malicious domains, since February 2022. The group has since been renamed Durian Cloud SMS, but much of its infrastructure remains. the same.
While Trend Micro has not confirmed exactly how the group is infecting devices, it has found more than 50 infected ROMs, each with malware loaders.
“We identified over 50 different images from a variety of vendors carrying initial chargers,” Trend Micro said in a blog post. “Newer versions of loaders use fileless techniques when downloading and injecting other payloads.”
“When comparing our analyzed number of devices with Lemon Group’s assumed reach of 8.9 million, it is highly likely that more devices have been pre-infected but have not exchanged communication with the C&C server, have not been used or activated by the actor of threats, or have not yet been distributed in the destination country or market,” Trend Micro stated.
The preloaded malware is capable of intercepting SMS, specifically including those that could share one-time passwords from various social media apps, including Facebook, as well as setting up a reverse proxy to take advantage of the device’s network resources. It can collect data from Facebook, such as friend lists and email addresses, and can also hijack WhatsApp sessions to send its own messages, in order to power Lemon Group’s own marketing platforms.
The malware can also display ads when launching official applications and is capable of silently installing more applications.
“We identified that some of these companies use different monetization techniques, such as heavy ad loading using silent plugins inserted into infected phones, smart TV ads, and Google Play apps with hidden ads,” Trend Micro explained.
“We believe the threat actor’s operations may also be a case of stealing information from the infected device for use in bulk data collection before selling it to other threat actors as another post-infection monetization scheme.”
Trend Micro also believes it’s possible that Lemon Group’s reach could extend to Android Auto.
“This expands and creates the possibility that there are some in-car entertainment systems that are already infected,” Trend Micro said.
“However, as of this writing, we have not identified any device firmware that has been confirmed to be infected with this specific malware payload.”
Trend Micro believes Lemon Group could well have control of devices in more than 180 countries, the top three being the United States, Mexico and Indonesia.