Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise


Level 15
Thread author
Top Poster
Mar 13, 2022
Millions of Android phone users around the world are contributing daily to the financial wellbeing of an outfit called the Lemon Group, merely by virtue of owning the devices.

Unbeknownst to those users, the operators of the Lemon Group have pre-infected their devices before they even bought them. Now, they're quietly using their phones as tools for stealing and selling SMS messages and one-time passwords (OTPs), serving up unwanted ads, setting up online messaging and social media accounts, and other purposes.

Lemon Group itself has claimed it has a base of nearly 9 million Guerrilla-infected Android devices that its customers can abuse in different ways. But Trend Micro believes the actual number may be even higher.

Building a Business on Infected Devices​

Lemon Group is among several cybercriminal groups that have built profitable business models around pre-infected Android devices in recent years.

Researchers from Trend Micro first began unraveling the operation when doing forensic analysis on the ROM image of an Android device infected with malware dubbed "Guerrilla." Their investigation showed the group has infected devices belonging to Android users in 180 countries. More than 55% of the victims are in Asia, some 17% are in North America and nearly 10% in Africa. Trend Micro was able to identify more than 50 brands of — mostly inexpensive — mobile devices.

In a presentation at the just concluded Black Hat Asia 2023, and in a blog post this week, Trend Micro researchers Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares shared their insights on the threat that outfits like Lemon Group pose to Android users. They described it as a continuously growing problem that has begun touching not just Android phone users but owners of Android Smart TVs, TV boxes, Android-based entertainment systems, and even Android-based children's watches.

"Following our timeline estimates, the threat actor has spread this malware over the last five years," the researchers said. "A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users."

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.