How Lemon Group Became A Global Android Cybercrime Enterprise

CryptoMode Android Malware Adware Lemon Group

Cybersecurity experts have unveiled alarming reports about a notorious cybercrime syndicate named Lemon Group, known for their cunning exploitation of millions of pre-infected Android smartphones across the globe. This underhanded activity significantly escalates the threat to global supply chains.

The underground organization ingeniously converts these infected devices into covert mobile proxies. Their operations range from illicitly trading SMS messages and seizing control of social media and online messaging accounts, to malicious monetization tactics, including deploying advertisements and click fraud, according to Trend Micro, a leading cybersecurity firm.

The Extent of the Cyber Threat

Analysis reveals that the clandestine activities of Lemon Group have affected approximately 8.9 million Android devices globally, targeting predominantly budget phones. The highest prevalence of these infiltrations is found in countries including the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.

Cybersecurity researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares recently presented distressing data at the esteemed Black Hat Asia conference in Singapore.

The Growing Threat Landscape

Labeled as a persistently evolving crisis, Trend Micro warns that the threat actors are not limiting themselves to smartphones but expanding their nefarious operations to other Android-based IoT devices. The growing list includes Smart TVs, Android TV boxes, home entertainment systems, and even children’s smartwatches.

The insidious infections are rampant in over 180 countries, compromising more than 50 different mobile device brands. The malicious software, or malware, at the core of these cyberattacks, is known as Guerilla.

The Evolution of Guerilla Malware

As per our research timeline, Guerilla has been the preferred weapon of Lemon Group for the past five years. As a result, this powerful malware poses a significant threat to any compromised critical infrastructure, potentially yielding substantial illicit profits for Lemon Group over time while adversely impacting legitimate users.

Sophos initially documented Guerilla in 2018 when they discovered 15 apps on the Play Store loaded with this devious software, designed to facilitate click fraud and act as a backdoor. By 2022, Guerilla was infamous for its advanced capabilities, such as intercepting SMS messages with specific characteristics like one-time passwords (OTPs) linked to multiple online platforms. 

Shortly after this revelation, the threat actors rebranded their operations from Lemon to Durian Cloud SMS.

Devious Tactics and Malicious Intentions

Trend Micro asserts that the underlying objective of Lemon Group is to elude SMS-based verification systems and market bulk virtual phone numbers. These numbers, unsuspectingly owned by users of the infected Android devices, are then sold to set up online accounts.

While these services can offer privacy benefits by enabling users to sign up for services using temporary or disposable phone numbers, they can also be manipulated to create spam accounts on a massive scale and perpetrate fraud.

Lemon Group Expands Its Horizons

Emerging reports from the cybersecurity community suggest that the SMS capturing feature is just one component of the malicious arsenal associated with a central downloader component. This primary plugin gets loaded into a tampered library within a zygote process. This technique is not exclusive to Guerilla but is also seen in another mobile trojan named Triada.

Each Guerilla plugin performs a unique business function, offering many monetization opportunities for Lemon Group.

Overlapping Infrastructures: A Cause for Concern

An in-depth probe into this extensive operation has uncovered overlapping infrastructures between Lemon Group and Triada. This raises suspicions that these two cybercrime groups may have collaborated at some point.

The unauthorized modifications to the firmware are suspected to be made by a third-party vendor that also produces components for Android Auto. However, Trend Micro has not revealed the exact modus operandi of how the devices are infected with the trojanized firmware containing Guerilla, or how they are sold in the market, and which brands are impacted.

New Threat Horizons

In a recent disclosure, Microsoft security researcher Dimitrios Valsamaras outlined a novel attack method named “Dirty Stream.” This tactic manipulates Android share targets, converting them into a conduit for distributing malicious payloads and capturing sensitive data from other apps installed on a device.

We must enhance our defenses and adapt to the ever-changing landscape of global Android cybercrime operations, such as those orchestrated by the Lemon Group.

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.