Friday, 19 May 2023 16:15

Millions of Android Devices Loaded with Malware Infected OEM Images.

Written by

Reading time is around minutes.

TrendMicro made a shocking revelation at Black Hat Asia 2023 where they disclosed an operation that has been running since 2018 targeting Android devices. The scheme was uncovered in 2021 while researchers at TrendMicro were looking into SMS PVA (Phone Verified Accounts) mobile bot net. They identified that the botnet had been helped along by a supply chain attack targeting the image used by OEM to rapidly deploy the OS onto the devices.

The group was dubbed “Lemon Group” by TrendMicro and the malware Guerrilla although the group has changed its web site URLs since the first reports of the SMS PVA botnet hit the streets. Guerrillas also appears to share some of an older malware that was found to be implanted in OEM images for Android devices called Triada. This overlap could suggest a collaboration at some point in the campaign’s history.

Following reports of Guerilla infections in mobile devices, TrendMicro discovered a system library that had been tampered with ( It had been set to inject snippet code into the printIn_native function. When the function is called the injected code decrypts a DEX file and loads it into memory. Once the device is compromised the Lemon Group can use that data to gain a better understanding of the compromised device for follow on campaigns including malvertising.

The crux of this is that the modified library allows the malicious process to load other processes (called plug-ins) that can tie into different applications for the purposes of collecting data and directing the payload desired by the threat actor. Some of the plugins can capture SMS messages (including one-time passwords) sent through various messaging systems including WhatsApp and Facebook. There are other sub-plugins that extend the functionality.

So far TrendMicro has identified over 50 different images that carry the initial loaders. These images are not just for Android phones, but have also been identified in SmartTVs, Watches, Android based displays and entertainment systems and android based TV boxes. The total footprint for this is more than 8.9 million devices that have communicated with the Command-and-Control Servers. The number it likely much higher as there are probably devices still in storage that are infected which have yet to be sold and used. The list of compromised devices spans more than 50 brands which is simply staggering.

For organizations interested there is a list of IOC (indicators of compromise) at the end of their report. These can be used to identify if any devices are impacted and to remove the files if any are there and your malware protection supports it.

Read 1301 times Last modified on Friday, 19 May 2023 16:20

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.