We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

“Guerilla” Malware Found Preinstalled on Android Devices

“Guerilla” Malware Found Preinstalled on Android Devices
Author Image Zane Kennedy
Zane Kennedy Published on 21st May 2023 Cybersecurity Researcher

A significant cybercrime enterprise known as the "Lemon Group" has been discovered, pre-installing sophisticated malware on potentially 9 million Android-based smartphones, watches, TVs, and TV boxes worldwide.

The group utilizes “Guerrilla” malware to perform a range of malicious activities, including intercepting one-time passwords from SMS messages, setting up reverse proxies (allowing a cybercriminal to use the network resources of the device), hijacking WhatsApp sessions, and more.

The extensive criminal operation was exposed by cybersecurity firm Trend Micro, whose analysts presented their findings at the recent BlackHat Asia 2023 conference. According to Trend Micro's report, the Lemon Group's infrastructure appears to overlap with the notorious Triada trojan operation from 2016. Triada was a trojan found pre-installed on a number of Android smartphone models.

Trend Micro first uncovered the Lemon Group in February 2022, after which the group rebranded as "Durian Cloud SMS." The primary business of the Lemon Group involves the exploitation of big data, analyzing shipment characteristics, advertising content, and hardware data to target specific regions and display tailored advertisements.

The infection process used by the Lemon Group to implant the Guerrilla malware remains unknown. However, Trend Micro's analysts discovered that infected devices had been reflashed with new ROMs (the operating system that runs the device), with over 50 different ROMs identified as ‘infected’ across various Android device vendors.

Trend Micro warns that the Lemon Group has previously claimed to control nearly 9 million infected devices in 180 countries. The countries most affected include the United States, Mexico, Indonesia, Thailand, and Russia. Whether this number is accurate or an overstatement from the threat actors is unknown.

Trend Micro has detected 490,000 phone numbers were being used for one-time password requests via Lemon SMS, and later, Durian SMS services. These passwords were used to access WhatsApp, Facebook, and JingDong, and more. This finding indicates that a sizable number of infected devices are in use throughout the world.

The cybersecurity firm has identified over 50 brands of mobile devices infected with the Guerrilla malware. Furthermore, Trend Micro reports that the malware has also been detected on Android-based smart TVs, TV boxes, smartwatches for kids, and other products.

The investigation is ongoing, and it remains crucial for users to maintain up-to-date security measures and exercise caution when purchasing Android devices from unknown or unofficial sources.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.