There was an old Guerilla Malware which used to spread via disguised applications on the Google Play Store. It has been many years since such malicious applications have been removed from Play Store. Naturally this time, people are saying it is “New Guerilla Malware”. It is suspected that this new version of this malware is arriving to the users as pre-installed on various Android devices, including smartphones, smartwatches, smart TVs and so on.
Trend Micro first informed the public about the spread of this malware:
1 | https://www.trendmicro.com/en_us/research/23/e/lemon-group-cybercriminal-businesses-built-on-preinfected-devices.html |
The new Guerrilla opens a backdoor on your phone usually by showing you a false “update notification”. After the user click to run the update, it downloads and installs unwanted harmful software.
---
The Guerrilla Malware can load various plugins to carry out malicious activities. Such as SMS plugin (to intercept OTPs), cookie plugin, proxy plugin (sets up a reverse proxy for their usage), splash plugin, silent plugin etc.
What is Lemon Group?
Lemon Group is the name of a cunning cybercrime syndicate. It is not any legitimate company. There are legitimate companies with the same name.
“Trend Micro researchers had already unmasked Lemon Group in February 2022, after which the criminals renamed themselves Durian Cloud SMS.”
“While we identified several businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,” Trend Micro explained.
They are quite advanced developers and it is easy for a user to get fooled by a prompt for an update.
What Type of Devices Are Prone?
So far, it is suspected that the mid-range and lower-range Android devices from certain brands use sub-standard software development methodologies to develop their branded Android OS or Android-derived OS. Probably Lemon Group could hack through their repository to inject Guerilla Malware. Also, the rooted Android devices from any manufacturer are at risk.
Today we purchase a lot of devices which are based on Android and not all of them are licensed by Google. They can also have this malware. If you have an Android-based cheap smartphone, projector, smartwatch, smartTV etc then they can be at risk.
Not much is known about the name of the manufacturers or the infected apps. The known fact so far is that they are frequently appearing on mid-range and lower-range devices. Rest are assumptions based on practical facts.
What Are the Sign-Symptoms of Getting Infected by Guerilla Malware?
The infected device can run slow, system settings can be modified without the user’s permission, questionable applications may appear, data and battery usage can be increased, browsers redirect to malware’s preferred websites, and various unwanted advertisements as pop up may appear.
How to Get Rid off Guerilla Malware?
Avast-Mobile, DrWeb, ESET-NOD32, and Kaspersky all can detect this Guerilla Malware. You can see the live list here:
1 2 3 4 | https://www.virustotal.com/gui/file/f43bb33f847486bb0989aa9d4ce427a10f24bf7dcacd68036eef11c82f77d61d/detection # info https://www.malwarebytes.com/blog/detections/android-trojan-guerrilla |
Guerrilla is detected by Kaspersky products such as Trojan.AndroidOS.Guerrilla.a. and the security company advise us to follow these measures to try to protect our devices from this malware. The first thing would be to restrict the installation of applications from sources other than official stores, use protection solutions to defend our Android devices from all types of malware or threats and not root the device, since according to Kaspersky, this malware is only capable of abusing the mechanisms of Google Play on rooted devices.
