Malware pre-installed on millions of budget Android devices

Cyber Security

Published 23 May 2023
- By Editorial Staff

According to security researchers at Trend Micro, the Guerilla malware has been found pre-installed on at least 8.9 million phones from over 50 manufacturers. Guerilla is an aggressive advertising malware that spies on users, sells their data to advertising buyers and displays excessive advertising. Infected devices have been found worldwide.

The risk of purchasing an Android product that is already part of a botnet is high, especially if you buy cheap Android TV media players or cell phones. While well-known manufacturers like Samsung, Sony and Google offer high security and years of guaranteed security updates, cheaper manufacturers don’t always take security as seriously.

Guerrilla malware, distributed by the Lemon Group cybercrime gang, can install additional malware, intercept one-time passwords (OTP) from SMS messages, establish a reverse proxy from the infected device, and infiltrate WhatsApp sessions. The device then becomes a tool for stealing and selling SMS messages, social media and instant messaging accounts, as well as monetization via ads and click fraud.

It has also emerged that cheap Android TV media players can be full of malware. The responsible manufacturers have not provided any updates or full firmware images for manual installation, meaning that users cannot reset the devices to get rid of the malware.

In addition to mobile phones and media players, the analysis of Guerilla has revealed that the company that produces firmware components for mobile phones also produces similar components for Android Auto. This creates the possibility that some car systems may already be infected. To protect yourself, it is important to carefully consider which manufacturer you buy your Android device from and regularly update your devices.

The Lemon Group was first identified in February 2022, after which the group changed its name to Durian Cloud SMS. Despite this, the attackers’ infrastructure and tactics have remained unchanged.

Trend Micro's report, presented at the BlackHat Asia conference, emphasizes that the infected devices have been distributed globally and the malware is present on devices shipped to more than 180 countries, including the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines and Argentina.

Source: Trend Micro