The Guerrilla malware has targeted nearly 9 million Android devices globally, including smartphones, watches, TVs, and TV boxes. The malware is distributed by Lemon Group, which is one of the most notorious cybercrime organizations.
Gadgets are always at risk of getting infected with malware, and once in a while, we hear about a new malware that targets users. Recently, McAfee researchers warned users to remove 38 Android games as soon as possible because they were running advertising in the background. Now, the BlackHat Asia conference in Singapore has illustrated the impact of Guerrilla malware.
The Guerrilla malware is developed by Lemon Group and has impacted 8.9 million Android users. The malware is essentially utilized for intercepting one-time passwords from SMS, loading additional payloads, setting up a reverse proxy from the infected device, hijacking WhatsApp sessions, etc.
Guerrilla malware targets nearly 9 million Android users globally
The report continues that Guerrilla malware has targeted users from all continents. However, the top 10 affected countries are India, Argentina, Angola, Indonesia, Mexico, Philippines, Russia, South Africa, Thailand, and the US.
Additionally, some of the infrastructure and methods used for this attack match the Triada trojan operation, which happened in 2016 and targeted 42 Android phone models. The attack is said to be done again by Lemon Group. This group later changed its name to Durian Cloud SMS, but its methods and architecture remained unchanged.
The outlet says Guerrilla malware has been found on 50 different ROMs that had been re-flashed. The malware also targets various Android device manufacturers.
The way Guerrilla malware works is simple but tricky. It first installs additional plugins on devices. Each plugin performs a certain task, like intercepting passwords sent via SMS, establishing a reverse proxy, or installing extra applications.
By infecting victims’ devices, Lemon Group can make tons of money by faking ads, taking over network resources, selling compromised accounts, selling proxy services, and offering SMS Phone Verified Accounts (PVA) services.