About 9 million smartphones worldwide come with pre-installed malware

Company Trend Micro warned that attackers had gained control of millions of smartphones from more than 50 brands, which were pre-installed with malware.

Since 2021, Trend Micro has been tracking a campaign behind a group dubbed the Lemon Group, with malware preinstalled on devices called Guerrilla. IN new report Trend Micro conducted an analysis of the Guerrilla malware. To do this, the company’s specialists purchased a smartphone and extracted its ROM image for investigation.

“We have identified a number of businesses that the Lemon Group does for large data, marketing and advertising companies. The core business is in the use of big data: analyzing the vast amount of data and relevant characteristics of manufacturers’ supply, various advertising content received from different users at different times, and hardware data with detailed software information,” Trend Micro explained.

According to the researchers, such activity allows the Lemon Group to track customers who can be infected with malware for additional monetization. For example, hackers may only serve ads to users in certain regions.

The malicious module from the Lemon Group delivers a loader that acts as the main plugin, which in turn can load and run other plugins.

Minor plugins can be used for the following purposes:

• Interception of SMS messages (including those containing one-time passwords for instant messengers and social networks);
• Setting up a reverse proxy on infected phones;
• Collection of application data;
• Capture whatsapp to send messages;
• Display ads when launching official applications.

Such malicious modules are usually installed on devices not by OEMs, but by third parties to which OEMs provide a system image to add new features that may include Guerrilla-type malware without the knowledge of the OEM.

Trend Micro tracked requests from devices running Lemon Group services and discovered over 490,000 phone numbers from over 180 countries, including the US, Mexico, Indonesia, Russia, and India.

Lemon Group said on its website that 8.9 million devices could be compromised by hackers. The page with these numbers was recently taken down, indicating that the actual number of devices with pre-installed malware is much higher.

Trend Micro’s analysis also confirmed the presence of Guerrilla in smart TVs, Android TV boxes, Android watches for kids, and other IoT devices.