The affected devices include Android smartphones, watches, TVs, and TV boxes.
The research, recently shown at the BlackHat Asia conference in Singapore, describes how these devices were infected, what malicious plug-ins were used, and how the groups work together. Take a look at it.
The top 10 countries that are affected due to the Guerrilla malware are India, Argentina, Angola, Indonesia, Mexico, Philippines, Russia, South Africa, Thailand, and the US.
Analysts found the huge criminal operation, and some of the infrastructure of the attackers matches with that of the 2016 Triada trojan operation. Triada was a banking trojan that was found on 42 Android phone models from cheap Chinese brands that sell their goods all over the world.
The report said they found out about the Lemon Group for the first time in February 2022. Shortly after, the group is said to have changed its name to "Durian Cloud SMS." But the architecture and methods of the attackers stayed the same.
Trend Micro hasn't said more about how Lemon Group infects devices with malicious firmware that includes Guerilla, but it did say that the devices its experts looked at had new ROMs that had been re-flashed. The experts found more than 50 different ROMs that were infected with initial malware loaders and were aimed at different Android device manufacturers.
The primary plugin of the Guerrilla malware is in charge of loading additional plugins that have been created to carry out particular tasks, including:
With these features, the Lemon Group can come up with different ways to make money. For example, they could sell compromised accounts, take over network resources, offer app-installation services, make fake ad impressions, offer proxy services, and provide SMS Phone Verified Accounts (PVA) services.