Beware! Guerilla Malware Slumbers on Millions of Android Devices

Lemon Group, a cybercrime organization, has successfully implanted the Guerrilla malware on approximately 8.9 million Android-based devices worldwide, including smartphones, watches, TVs, and TV boxes. Trend Micro, a cybersecurity company, revealed this information in a recent report.

The Guerrilla malware possesses various capabilities, such as loading additional malicious software, intercepting one-time passwords (OTPs) sent via SMS, establishing a reverse proxy through the infected device, and infiltrating WhatsApp sessions.

According to researchers from Trend Micro, the infected devices are transformed into mobile proxies, serving as tools for stealing and selling SMS messages, social media and online messaging accounts, as well as generating revenue through advertisements and click fraud. These findings were presented in a report during the recent BlackHat Asia conference.

The malware has been distributed globally, with infected devices found in more than 180 countries, including the United States, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.

Supply Chain Attack Used to Implant Guerilla

The presence of malware on Android devices can be attributed to the involvement of third parties hired by manufacturers to enhance the standard system images. Trend Micro, in its analysis of the Guerilla malware, discovered that a company responsible for producing firmware components for mobile phones also creates similar components for Android Auto, an app used on vehicle dashboard systems.

This raises concerns regarding the possibility of infected in-car entertainment systems. Researchers emphasized this point during its research. The investigation into Guerilla began after reports of compromised phones surfaced. Researchers obtained an infected phone and extracted the ROM image for forensic examination. Within the report, researchers identified a manipulated system library named libandroid_runtime.so, which injected a code snippet into a function called println_native.

The injected code's purpose is to decrypt a DEX file, utilized by the Android operating system for executing bytecode, from the device's data section and load it into memory. This file is executed by Android Runtime to activate the primary plugin employed by the attackers, known as Sloth, and provide its configuration, including a Lemon Group domain for communication.

Lemon Group primarily focuses on utilizing big data for analyzing manufacturers' shipment data, various advertising content from different users, and detailed hardware and software information. This allows them to monitor customers and potentially infect them with other applications.

Guerilla Has Significant Capabilities

The Guerilla malware's primary plugin loads additional dedicated plugins that serve specific functions. The SMS Plugin intercepts one-time passwords received via SMS for WhatsApp, JingDong, and Facebook. The Proxy Plugin establishes a reverse proxy from the infected device, enabling the attackers to exploit the victim's network resources. The Cookie Plugin retrieves Facebook cookies from the app data directory and sends them to the C2 server, while also hijacking WhatsApp sessions for the distribution of unwanted messages.

Additionally, the malware includes the Splash Plugin, which displays intrusive advertisements while the victims use legitimate applications, and the Silent Plugin, responsible for silently installing or uninstalling APKs (Android Package Kits) received from the C2 server. The installation and launching of these apps occur discreetly in the background.