Lemon Group's Guerilla Malware:

How 9 Million Android Devices Are Exploited for Cybercrime

Lemon Group, a large cybercrime operation, has infected nearly 9 million Android devices worldwide with the Guerilla malware

Impacted devices include smartphones, TVs, TV boxes, and watches, with the highest concentration in the U.S., Mexico, Russia, Indonesia, and Thailand

The malware enables additional payload delivery, reverse proxy creation, and WhatsApp session takeovers

Lemon Group has used infrastructure overlapping with the Triada banking trojan to deploy initial malware loaders on more than 50 ROMs across various Android device vendors

The Guerilla malware includes a main plugin with features such as obtaining one-time passwords, establishing reverse proxies, showing unwanted apps, and installing more APKs

The infected devices are transformed into mobile proxies for stealing and selling SMS messages, social media and online messaging accounts, and generating revenue through advertisements and click fraud

The malware implantation methods may involve supply chain attacks, compromised software, compromised firmware updates, or insider involvement in the manufacturing or distribution chain

Threat Report 2023

Explore Sectrio's Global threat landscape report for a comprehensive analysis of the latest cybersecurity risks