Millions of Android Devices Pre-Infected with Malware by Cybercrime Gang

The Lemon Group, a cybercrime gang, has pre-installed malware known as 'Guerilla' on almost 9 million Android-based devices, including smartphones, watches, TVs, and TV boxes. The malware is used to load additional payloads, intercept one-time passwords from SMS, set up a reverse proxy, hijack WhatsApp sessions, and more. The group's infrastructure overlaps with the Triada trojan operation from 2016. The malware is implanted through supply chain attacks, compromised third-party software, a compromised firmware update process, or enlisting insiders on the product manufacturing or distribution chain. The group has a diverse monetization strategy that includes selling compromised accounts, hijacking network resources, offering app-installation services, generating fraudulent ad impressions, offering proxy services, and SMS Phone Verified Accounts (PVA) services. The countries most significantly impacted include the United States, Mexico, Indonesia, Thailand, and Russia.