Cybercrime gang Lemon Group has managed to get malware known as Guerrilla preinstalled on about 8.9 million Android-based smartphones, watches, TVs, and TV boxes globally, according to Trend Micro.\u00a0The Guerilla malware can load additional payloads, intercept one-time passwords (OTPs) from SMS texts, set up a reverse proxy from the infected device, and infiltrate WhatsApp sessions.\u00a0"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," Trend Micro researchers said in a report presented at the BlackHat Asia conference this week.\u00a0\u00a0The infected devices have been distributed globally, with the malware installed on\u00a0 devices that have been shipped to more than 180 countries including the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines, and Argentina.Third parties preinstall malware on Android devicesThe installation of malware on Android devices can occur when third parties are hired by Android device manufacturers to enhance standard system images. In its analysis of Guerilla, Trend Micro noted that a company that produces the firmware components for mobile phones also produces similar components for Android Auto, a mobile app similar to an Android smartphone used on vehicles\u2019 dashboard information and entertainment units.\u00a0\u201cThis widens and creates the possibility that there might be some in-car entertainment systems that are already infected,\u201d Trend Micro said in the research.\u00a0Trend Micro began its analysis of Guerrilla after monitoring reports of phones that were compromised with the malware. Researchers purchased an infected phone and extracted the ROM image for forensic analysis. \u201cWe found a system library called libandroid_runtime.so that was tampered to inject a snippet code into a function called println_native,\u201d Trend Micro said in its report.The injected code will decrypt a DEX file \u2014 a file format used by the Android operating system for executing bytecode \u2014 from the data section of the device and load it into memory. The file is executed by Android Runtime to activate the main plugin used by the attackers, called Sloth, and provides its configuration, which contains a Lemon Group domain used for communications.The main business of the Lemon Group involves the utilization of big data, \u201canalyzing massive amounts of data and the corresponding characteristics of manufacturers\u2019 shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,\u201d Trend Micro said. This allows Lemon Group to monitor customers that can be further infected with other apps.\u201cWe believe that the threat actor\u2019s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme,\u201d Trend Micro said.\u00a0Functions of Lemon Group's Guerilla malwareThe main plugin for the Guerrilla malware loads additional plugins that are dedicated to carrying out specific functions: SMS Plugin intercepts one-time passwords for WhatsApp, JingDong, and Facebook received via SMS; Proxy Plugin sets up a reverse proxy from the infected phone, allowing the attackers to utilize the victim's network resources; Cookie Plugin takes Facebook cookies from the app data directory and exfiltrates them to the C2 server. It also hijacks WhatsApp sessions to disseminate unwanted messages from the compromised device.\u00a0The malware also comprises Splash Plugin, which displays intrusive advertisements to the victims when they are using legitimate applications, and Silent Plugin, which installs additional APKs (Android Package Kits) received from the C2 server, or uninstalls existing applications, as instructed. The installation and app launch are silent in the sense that they take place in the background, Trend Micro said.\u00a0Links to Triada TrojanSome of the attackers' infrastructure overlaps with the Triada Trojan operation from 2016.Triada is a banking trojan that was found preinstalled on 42 Android smartphone models from low-cost Chinese brands.\u00a0 "We believe these two groups worked together at some point as we observed some overlap of their C&C server infrastructure,\u201d Trend Micro said.The Lemon Group was first identified in February 2022, after which the group rebranded under the name Durian Cloud SMS. However, the attackers' infrastructure and tactics remained unchanged.