Lemon Group
Lemon Group

A cybercrime group known as the “Lemon Group” has recently come into the spotlight. It is for pre-installing malware named ‘Guerilla’ on a staggering number of Android devices. This malware has affected approximately 9 million smartphones, watches, TVs, and TV boxes. The malicious actors behind the Lemon Group employ Guerilla to execute various harmful activities. This includes intercepting one-time passwords, setting up reverse proxies, and hijacking WhatsApp sessions. This discovery was by analysts from Trend Micro during the BlackHat Asia conference. Here they reveal the group’s striking similarities to the notorious Triada trojan operation that emerged in 2016.

Triada Trojan and the Lemon Group

Previously, the Triada banking trojan was discovered on 42 models of Android smartphones manufactured by Chinese brands and sold globally. Trend Micro’s report indicates that they initially exposed the Lemon Group in February 2022. The group subsequently rebranded as “Durian Cloud SMS,” but their infrastructure and tactics remained unchanged. While the Lemon Group has involvement in various activities such as big data analysis, marketing, and advertising. Their primary focus revolves around utilizing big data to analyze shipment characteristics, user-specific advertising content, and detailed software data.

The Malware Implantation Process of Lemon Group

Although the exact method used by the Lemon Group to implant Guerilla malware remains undisclosed, Trend Micro has shed some light on the subject. The devices analyzed by their experts were found to have been re-flashed with new ROMs, indicating that the malware was integrated into the firmware. Researchers identified more than 50 different infected ROMs targeting various Android device vendors. The criminal group successfully infect millions of Android devices. Turning them into tools for stealing and selling SMS messages, social media and messaging accounts. It is for generating revenue through advertisements and click fraud.

Guerilla Malware and its Functionality

Guerilla malware employs a main plugin, known as “Sloth,” which loads additional plugins to carry out specific functionalities. These include the SMS Plugin, which intercepts one-time passwords for platforms such as WhatsApp, JingDong, and Facebook. The Proxy Plugin sets up a reverse proxy on the infected phone, granting attackers access to the victim’s network resources. The Cookie Plugin extracts Facebook cookies from the app data directory. It then sends them to the command and control server, while also hijacking WhatsApp sessions for unauthorized dissemination of messages. The Splash Plugin displays intrusive advertisements to victims while they are using legitimate applications. Finally, the Silent Plugin silently installs additional APKs from the command and control server or uninstalls existing applications as instructed.

Global Impact of Lemon Group

Trend Micro’s report indicates that Lemon Group claimed to have control over nearly 9 million devices in 180 countries through their service-offering site. The most affected countries include the United States, Mexico, Indonesia, Thailand, and Russia. However, the actual number of infect devices could be higher. As some have not yet connected to the attackers’ command and control servers. The analysts identified over 490,000 mobile numbers associated with generating one-time password requests for SMS Phone Verified Accounts (PVA) services across various platforms. This significant number of compromised devices reveals the widespread reach of the Lemon Group’s malicious operations.

BleepingComputer reached out to Trend Micro for further details on the pre-infected phones, their method of distribution, and the affected brands. However, as of now, no response has been received. It is crucial for users to stay informed about such security threats and take necessary precautions to protect their devices and personal information.


The Lemon Group’s pre-installation of Guerilla malware on millions of Android devices has raised serious concerns about the security of these devices. Users must remain vigilant, employ robust security measures, and keep their devices up to date with the latest firmware and security patches. As this cybercrime gang continues to operate globally, it is crucial for individuals and organizations to be aware of the potential risks associated with malware-infected devices.

Trend Micro’s ongoing monitoring of the Lemon Group’s operation has shed light on their extensive reach and the magnitude of their malicious activities. The discovery of over half a million compromised devices tied to a single service offered by the group demonstrates the alarming scale of their operations. The impact of their activities extends beyond just financial losses; it also poses a significant threat to users’ privacy and sensitive information.