By Cyber Guard Team 
The “Guerrilla” malware is a sophisticated Android-based threat deployed by a cybercrime group known as the Lemon Group. This malware has been pre-installed on nearly 9 million Android devices worldwide, including smartphones, smartwatches, smart TVs, and Android TV boxes.
What Is Guerrilla?
Guerrilla operates as a modular Trojan, meaning it functions through a primary plugin that loads specialized secondary plugins to perform various malicious activities. These plugins enable the malware to:
- Intercept SMS-based one-time passwords (OTPs) for services like WhatsApp, Facebook, and JingDong.
- Hijack WhatsApp sessions to send unsolicited messages from the compromised device.
- Extract Facebook cookies and exfiltrate them to the command-and-control (C2) server.
- Display intrusive advertisements while users are using legitimate applications.
- Install or uninstall apps silently without the user’s consent.
Who Is Behind Guerrilla?
The Lemon Group is a cybercrime organization that has been active since at least 2018. They are known for preloading devices with modified firmware containing the Guerrilla malware. This group has also operated under the alias “Durian Cloud SMS” following a rebranding after Trend Micro’s initial exposure of their activities.
Harmful Activities and Impact
The Lemon Group’s use of Guerrilla malware facilitates a range of harmful activities:
- Data Theft: By intercepting OTPs and hijacking sessions, they gain unauthorized access to personal accounts.
- Fraudulent Activities: Hijacked sessions can be used to send spam or conduct fraudulent transactions.
- Advertising Fraud: Displaying unauthorized ads generates revenue for the attackers at the expense of legitimate advertisers and users.
- Device Exploitation: Converting devices into reverse proxies allows attackers to utilize the device’s network resources for malicious purposes.
The global reach of this operation has affected users in over 180 countries, with significant numbers in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines, and Argentina.
Protection Measures
To protect against such threats:
- Purchase Devices from Reputable Sources: Avoid buying from unauthorized or suspicious vendors.
- Keep Software Updated: Regularly update your device’s firmware and applications to patch vulnerabilities.
- Install Security Software: Use trusted antivirus and anti-malware tools to detect and remove threats.
- Be Cautious with Permissions: Review app permissions and avoid granting unnecessary access.