3 min

Millions of Android devices contain malware before a consumer even gets their hands on them. A cybercrime collective operating under the name “Lemon Group” is using the infected hardware for a variety of criminal activities. With the so-called Guerrilla malware, the opportunities for crime are enormous.

Last week we already reported on a similar situation where millions of smartphones are infected by a party in the production process. Again, it’s Trend Micro researchers on the scene to highlight the malware problem.

Also read: Millions of phones already infected by malware out-of-the-box

Most of the infected devices are said to be in Asia (55 percent), although North and South America together also account for a significant share (17 and 14 percent, respectively). These tend to be low-cost devices, researchers say. One possible explanation for that being the case is that producers of low-cost hardware can only maintain their rock-bottom prices by pushing their costs down to undesirable levels. This allows a criminal organization to report itself somewhere in the production process as a legitimate provider, such as for installing firmware.

Guerrilla malware

Guerrilla was discovered by security firm Sophos back in 2018. The malware allows the Android device to communicate with a “command & control center” server through a backdoor. Originally, it was merely a plugin that automatically clicked ads on the affected user’s phone (an ‘adclicker’ for short). In this way, it generated revenue for the criminal organization. However, because Guerrilla can be remotely updated, its capabilities have been expanded since 2018.

Meanwhile, the specific functions of the Guerrilla malware vary from device to device, depending on what the criminals want. SMS plugins can intercept one-time passwords for WhatsApp and other communication apps. proxy logins can steal bandwidth from the user. In this case, the link can be made to “proxyjacking,” where the stolen Internet access is traded.

Other possibilities include the deployment of a cookie plugin, which hijacks Facebook or WhatsApp accounts to send malicious messages. According to Trend Micro, all these options allowed Lemon Group to establish a diverse revenue model. Aside from illegally obtained revenue, the malware can cause headaches for legitimate users. For example: falsely linking criminal activity to an unsuspecting Android user’s IP address. Another possibility is a WhatsApp user’s activity becoming suspicious due to illegally sent messages.


Trend Micro discovered the custom firmware in an Android phone. The ROM image showed that something wasn’t quite right. The ‘libandroid_runtime.so’ library contained additional programming code to start a DEX file. Every Android application contains this to call the Java libraries it uses.

Trend Micro researchers had already unmasked Lemon Group in February 2022, after which the criminals renamed themselves “Durian Cloud SMS.” One does not report how exactly the malware lands on hardware, but one does report what kind of devices are involved. In addition to smartphones, the malicious parties also install malware on smartwatches, smart TVs and more. Since Android is on a gigantic variety of devices and more and more “smart devices” are ending up in homes, the malware could potentially be installed virtually anywhere (as long as it runs on Android).

Since a party like Samsung is currently even building refrigerators with a modified Android variant, it is only imagination that limits where you might see malware appear. However, in that particular case we are talking about a product in a high price segment, and surely we should expect a brand like Samsung to have a much better grip on the supply chain.