Lemon Group Exploits 8.9 Million Pre-Infected Android Phones

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | May 18, 2023 11:11 pm PST

Significant supply chain concerns are posed by the cybercrime organization Lemon Group, which is exploiting millions of pre-infected Android handsets around the world to carry out malicious operations.

Cybersecurity firm Trend Micro stated that infected smartphones became “mobile proxies,” or instruments used to steal and resell SMS messages, social networking accounts, online messaging accounts, and monetize via adverts and click fraud.

There are at least 8.9 million infected Android devices, primarily low-priced handsets, with the greatest concentration of infections found in countries like (the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina).

Researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares presented their findings last week at the Black Hat Asia conference in Singapore.

The cybersecurity company described this as an ever-evolving problem, with the threat actors now targeting Smart TVs, Android TV boxes, entertainment systems, and even children’s watches that run the Android operating system.

Over 50 different mobile device brands have been affected by the Guerilla virus outbreak, which has spread to over 180 countries.

“Based on our timeline estimates, the threat actor has been spreading this malware for the past five years,” the researchers added. According to the authors, “a compromise on any significant critical infrastructure with this infection can likely yield huge gains for Lemon Group over a long period of time at the expense of legitimate users.”

Sophos detected 15 apps on the Play Store in 2018 that were infected with Guerilla and contained click fraud and backdoor capabilities.

In early 2022, the malware made headlines for its ability to steal one-time passwords (OTPs) and other sensitive information from a wide variety of online services; the threat actor behind this operation rebranded it from Lemon Cloud SMS to Durian Cloud SMS shortly thereafter.

The aim, per Trend Micro, is to circumvent SMS-based verification and to publicise tons virtual phone numbers – which are for unsuspecting users of the infected Android handsets – for sale to create online accounts.

While it’s true that signing up for services with a disposable phone number might help protect users’ anonymity, such services have the potential to be misused for massive spam account creation and even fraud.

The latest research from the cybersecurity firm shows that the SMS capturing capability is one of many plugins connected to a downloader component (also known as the main plugin) that is loaded into a zygote process via a modified library database.

It’s worth noting that another mobile virus, named Triada, has taken the similar technique of changing the zygote process.

The researchers noted, “With this, it would also be tampered every time other app processes are forked from the zygote.” In order to exert influence over the currently running application, “the main plugin will load other plugins with the current process as the target,” and so on.

Each of the Guerrilla plugins performs a unique business function and provides a new revenue stream for the Lemon Group.

Proxy plugin to build reverse proxy from an infected phone and allow other actors to rent out network resources of the compromised mobile device. Cookie plugin to capture Facebook cookies and other profile information. Add-on for WhatsApp that can hijack conversations and send spam.

Splash plugin to display unwanted adverts when running particular programs, and Silent plugin to stealthily install an APK file and launch the app. Further analysis into the extensive enterprise has shown infrastructural commonalities between Lemon Group and Triada, suggesting the two entities may have coordinated.

An undisclosed third-party vendor that “produces the firmware components for mobile phones” and Android Auto components is suspected of making illicit firmware changes.

Trend Micro does not disclose how the devices are infected with the trojanized software carrying Guerilla, how they are sold, or what brands are affected.

Dimitrios Valsamaras, a Microsoft security researcher, revealed Dirty Stream, a new attack method that uses Android share targets to distribute malicious payloads and steal sensitive data from other apps on a device.

Valsamaras compared it to a web application’s file upload vulnerability. “More specifically, malicious software employs a specially engineered content provider to convey a payload to the target application.

If the receiver doesn’t complete security checks, the sender can overwrite crucial files with harmful content. Under certain scenarios, the receiver may be obliged to get the content of the protected files to a public directory, putting the user’s confidential data at risk.


The cybercrime group known as the Lemon Group has installed malware called ‘Guerilla’ on approximately 9 million Android devices. This includes smartphones, watches, TVs, and TV boxes. The group uses Guerilla to carry out various malicious activities, such as intercepting one-time passwords, setting up reverse proxies, and hijacking WhatsApp sessions. Trend Micro, a cybersecurity company, discovered this criminal enterprise and found similarities between their infrastructure and the Triada trojan operation from 2016.

The Lemon Group was initially exposed in February 2022 but later rebranded as “Durian Cloud SMS” while maintaining the same tactics and infrastructure. The group’s main business involves analyzing big data, marketing, and advertising, with a focus on data obtained from users and manufacturers’ shipments. The exact method used by the Lemon Group to infect devices with Guerilla is unclear, but it may involve supply chain attacks, compromised software, firmware updates, or insider involvement in manufacturing or distribution.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x