Lemon Group's Guerrilla malware model an example of how threat actors are monetizing compromised Android devices, researchers say.

Millions of Android phone users around the world are contributing daily to the financial wellbeing of an outfit called the Lemon Group, merely by virtue of owning the devices.

Unbeknownst to those users, the operators of the Lemon Group have pre-infected their devices before they even bought them. Now, they're quietly using their phones as tools for stealing and selling SMS messages and one-time passwords (OTPs), serving up unwanted ads, setting up online messaging and social media accounts, and other purposes.

Lemon Group itself has claimed it has a base of nearly 9 million Guerrilla-infected Android devices that its customers can abuse in different ways. But Trend Micro believes the actual number may be even higher.

**Building a Business on Infected Devices**

Lemon Group is among several cybercriminal groups that have built profitable business models around pre-infected Android devices in recent years.

Researchers from Trend Micro first began unraveling the operation when doing forensic analysis on the ROM image of an Android device infected with malware dubbed "Guerrilla." Their investigation showed the group has infected devices belonging to Android users in 180 countries. More than 55% of the victims are in Asia, some 17% are in North America and nearly 10% in Africa. Trend Micro was able to identify more than 50 brands of — mostly inexpensive — mobile devices.

In a presentation at the just concluded Black Hat Asia 2023, and in a blog post this week, Trend Micro researchers Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares shared their insights on the threat that outfits like Lemon Group pose to Android users. They described it as a continuously growing problem that has begun touching not just Android phone users but owners of Android Smart TVs, TV boxes, Android-based entertainment systems, and even Android-based children's watches.

"Following our timeline estimates, the threat actor has spread this malware over the last five years," the researchers said. "A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users."

**An Old but Evolving Malware Infection Issue**

The issue of Android phones being shipped with malware pre-installed on them is certainly not new. Numerous security vendors — including Trend Micro, Kaspersky, and Google — have reported over the years on bad actors introducing potentially harmful applications at the firmware layer on Android devices.

In many instances, the tampering has happened when an Android OEM, looking to add additional features to a standard Android system image, outsourced the task to a third-party. In some instances, bad actors have also managed to sneak in potentially harmful applications and malware via firmware over-the-air (FOTA) updates. A few years ago, most of the malware found preinstalled on Android devices were information stealers and ad servers.

Typically, such tampering has involved inexpensive devices from mostly unknown and smaller brands. But on occasion, devices belonging to bigger vendors and OEMs have been impacted as well. Back in 2017 for instance, Check Point reported finding as many as 37 Android device models from a large multi-national telecommunication company, pre-installed with such malware. The threat actor behind the caper added six of the malware samples to the device ROM so the user couldn't remove them without re-flashing the devices.

**Pre-Installed Malware Gets More Dangerous**

In recent years, some of the malware found pre-installed on Android devices have become much more dangerous. The best example is Triada, a Trojan that modified the core Zygote process in the Android OSa. It also actively substituted system files and operated mostly in the system's RAM, making it very hard to detect. Threat actors behind the malware used it to, among other things, intercept incoming and outgoing SMS messages for transaction verification codes, display unwanted ads and manipulate search results.

Trend Micro's research in the Guerrilla malware campaign showed overlaps — in the command-and-control infrastructure and communications for instance — between Lemon Group's operations and that of Triada. For instance, Trend Micro found the Lemon Group implant tampering with the Zygote process and essentially becoming a part of every app on a compromised device. Also, the malware consists of a main plugin that loads multiple other plugins, each with a very specific purpose. Those include one designed to intercept SMS messages and read OTPs from platforms such as WhatsApp, Facebook, and a shopping app called JingDong.

**Plugins for Different Malicious Activities**

One plugin is a crucial component of a SMS phone verified account (SMS PVA) service that Lemon Group operates for its customers. SMS PVA services basically provides users with temporary or disposable phone numbers they can use for phone number verification when registering for an online service, for instance, and for receiving two-factor authentication and one-time passwords for authenticating to them later. While some use such services for privacy reasons, threat actors like Lemon Group use them to enable customers to bulk register spam accounts, create fake social media accounts, and other malicious activities.

Another Guerrilla plugin allows Lemon Group to essentially rent out an infected phone's resources from short periods to customers; a cookie plugin hooks to Facebook-related apps on the user's devices for ad-fraud related uses; and a WhatsApp plugin hijacks a user's WhatsApp sessions to send unwanted messages. Another plugin enables silent installation of apps that would require installation permission for specific activities.

"We identified some of these businesses used for different monetization techniques, such as heavy loading of advertisements using the silent plugins pushed to infected phones, smart TV ads, and Google play apps with hidden advertisements," according to Trend Micro's analysis. "We believe that the threat actor's operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme."

Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise

Pro-Houthi OilAlpha uses spoofed Android apps to monitor victims across the Arab peninsula working to bring stability to Yemen.

An ongoing spyware campaign is targeting attendees of Saudi government-led negotiations on Yemen, along with humanitarian and reconstruction aid workers working toward Yemeni stability on behalf of the pro-Houthi movement.

Insikt Group researchers has been monitoring the activities of threat group OilAlpha since May 2022, which they reported has been using messenger applications like WhatsApp to social engineer targets into downloading a malicious Android application. The app comes loaded with remote access Trojans (RATs) like SpyNore and SpyMax, the researchers said.

Tellingly, OilAlpha uses infrastructure that the Insikt Group traced back to the Public Telecommunication Corporation (PTC), a business owned by the government of Yemen, and under the control of Houthi-aligned officials, the report added.

"The group's operations have reportedly included targeting persons attending Saudi Arabian government-led negotiations; coupled with the use of spoofed Android applications mimicking entities tied to the Saudi Arabian government, and a UAE humanitarian organization (among others)," the report said. "As of this writing, we suspect that the attackers targeted individuals the Houthis wanted direct access to."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Houthi-Backed Spyware Effort Targets Yemen Aid Workers

A hacking group dubbed OilAlpha with suspected ties to Yemen's Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.
"OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets," cybersecurity company Recorded Future said in a

Cyber Threat / Mobile Security

A hacking group dubbed **OilAlpha** with suspected ties to Yemen's Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.

"OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets," cybersecurity company Recorded Future said in a technical report published Tuesday.

"It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices."

OilAlpha is the new cryptonym given by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to emerging threat groups.

The assessment that the adversary is acting in the interest of the Houthi movement is based on the fact that the infrastructure used in the attacks is almost exclusively associated with Public Telecommunication Corporation (PTC), a Yemeni telecom service provider subjected to Houthi's control.

That having said, the persistent use of PTC assets doesn't exclude the possibility of a compromise by an unknown third-party. Recorded Future, however, noted that it did not find any evidence to back up this line of reasoning.

Another factor is the use of malicious Android-based applications to likely surveil delegates associated with Saudi Arabian government-led negotiations. These apps mimicked entities tied to the Saudi Arabian government and a humanitarian organization in the U.A.E.

The attack chains commence with potential targets – political representatives, media personalities, and journalists – receiving the APK files directly from WhatsApp accounts using Saudi Arabian telephone numbers by masquerading the apps as belonging to UNICEF, NGOs, and other relief organizations.

The apps, for their part, act as a conduit to drop a remote access trojan called SpyNote (aka SpyMax) that comes with a plethora of features to capture sensitive information from infected devices.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"OilAlpha's focus in targeting Android devices is not surprising due to the high saturation of Android devices in the Arabian Peninsula region," Recorded Future said.

The cybersecurity company said it also observed njRAT (aka Bladabindi) samples communicating with command-and-control (C2) servers associated with the group, indicating that it's simultaneously making use of desktop malware in its operations.

"OilAlpha launched its attacks at the behest of a sponsoring entity, namely Yemen's Houthis," it theorized. "OilAlpha could be directly affiliated to its sponsoring entity, or could also be operating like a contracting party."

"While OilAlpha's activity is pro-Houthi, there is insufficient evidence to suggest that Yemeni operatives are responsible for this threat activity. External threat actors like Lebanese or Iraqi Hezbollah, or even Iranian operators supporting the IRGC, may have led this threat activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users

An explosion of interest in OpenAI’s sophisticated chatbot means a proliferation of “fleeceware” apps that trick users with sneaky in-app subscriptions.

Any major trend or world event, from the coronavirus pandemic to the cryptocurrency frenzy, will quickly be used as fodder in digital phishing attacks and other online scams. In recent months, it has become clear that the same would happen for large language models and generative AI. Today, researchers from the security firm Sophos are warning that the latest incarnation of this is showing up in Google Play and Apple’s App Store, where scammy apps are pretending to offer access to OpenAI’s chatbot service ChatGPT through free trials that eventually start charging subscription fees.

There are paid versions of OpenAI’s GPT and ChatGPT for regular users and developers, but anyone can try the AI chatbot for free on the company’s website. The scam apps take advantage of people who have heard about this new technology—and perhaps the frenzy of people clamoring to use it—but don’t have much additional context for how to try it themselves. The researchers first learned about the scam apps after seeing ads for them in news apps and on social networks, but users may also encounter them by searching in Google Play and the App Store.

“I saw multiple ads for these types of apps on social media platforms where it’s cheap to advertise, and sometimes they use tactics like typos in the name—calling the app ‘Chat GBT’ or others—to screen out people who might be a bit more savvy,” says Sean Gallagher, a senior threat researcher at Sophos. “They’re trying to screen out people who would do the free trial and then cancel it because it’s crap. They want the people who are not focused enough to know how to unsubscribe.”

Such scams are known as fleeceware. And these apps, which hook victims into paying a regular weekly or monthly fee, are difficult to stamp out, because they typically don't exhibit the technically invasive and malicious behavior that would get more explicit malware booted. When scammers submit their apps to Apple and Google for review, the researchers note, they may not include all of the details on the subscription pricing and when users will have to pay to continue receiving functionality. Later, they can revise their demands without changing anything about how the app is engineered.

Google and Apple provide mechanisms for developers to offer in-app purchases, both one-time fees and recurring charges. And these companies get a cut every time apps in their app stores collect payments from users.

In the case of the Android app Open Chat GBT, users could download the app for free but were quickly confronted with huge quantities of ads and could try the chatbot only three times before losing access to its functionality and receiving a prompt to subscribe. By default, users could sign up for a three-day free trial to continue using the app, which would then become a monthly $10 subscription. Open Chat GBT also offered a $30 annual subscription. The researchers found a very similar app with a different name by the same developer for iOS in the App Store.

The Sophos researchers note that Apple and Google took down some of the fake AI chatbot apps they were looking at before disclosure. There were others, though, that remained available after the researchers flagged them to Google and Apple. Both companies acknowledged receipt of the submissions, and Google took down one more app. Google and Apple did not immediately respond to requests for comment about the findings.

The researchers say they suspect that some of the apps use OpenAI’s ChatGPT 3 application programming interface to generate content for users while others use lower-quality chatbot functionalities. And instead of limiting the user to a small number of queries, some of the apps would truncate responses and give users only a snippet until they started a subscription.

Gallagher says that one of the biggest problems with fleeceware is that users don't always know how to manage their subscriptions and don't realize that even when they delete an app, their recurring payments will continue to be active with the service.

“We define fleeceware as something that charges an extraordinary amount of money for a feature that is available freely or at very low cost elsewhere,” he says. “And it’s effective, because even I sometimes wonder, why am I getting charged this much by Apple every month? And it's like, OK, there’s the shared family storage, there's AppleCare for my phone, there’s Duolingo. You have to be very careful—you have to actively manage subscriptions to apps.”

ChatGPT Scams Are Infiltrating Apple's App Store and Google Play

Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China.
This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.
"The identified phishing

Cyber Espionage / Threat Intel

Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group **SideWinder** to strike entities located in Pakistan and China.

This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.

"The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors," researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said.

SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments.

The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore.

Earlier this February, Group-IB brought to light evidence that SideWinder may have targeted 61 government, military, law enforcement, and other organizations across Asia between June and November 2021.

More recently, the nation-state group was observed leveraging a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organizations.

The newly discovered domains mimic government organizations in Pakistan, China, and India and are characterized by the use of the same values in WHOIS records and similar registration information.

Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload.

A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which was analyzed by both QiAnXin and BlackBerry in recent months.

Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University's email system (mailtsinghua.sinacn\[.\]co).

Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov\[.\]org).

Further investigation into SideWinder's infrastructure has led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The rogue Android app passes off as a "Ludo Game" and prompts users to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.

Group-IB said the app also exhibits similarities with the fake Secure VPN app the company disclosed in June 2022 as being distributed to targets in Pakistan by means of a traffic direction system (TDS) called AntiBot.

In all, the domains point to SideWinder setting its sights on financial, government, and law enforcement organizations, as well as companies specializing in e-commerce and mass media in Pakistan and China.

"Like many other APT groups, SideWinder relies on targeted spear-phishing as the initial vector," the researchers said. "It is therefore important for organizations to deploy business email protection solutions that detonate malicious content."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered

Videostream macOS app 0.5.0 and 0.4.3 has a Race Condition. The Updater privileged script attempts to update Videostream every 5 hours.

**Downloaded videos on your Chromecast. Instantly.****The easiest way to stream

videos MP4s MKVs AVIs WMVs MP3s

from your computer to Chromecast or AndroidTV.  
Control it all from Android or iOS.**

  

Brooklyn Nine Nine © 2013-2015 Fremulon, Dr. Goor Productions (PG)

play\_arrow

No setup. Seriously.  
**Just start watching.**

event\_seat

**Relax with Mobile Apps**

Play, pause, & seek from your couch with **free** Android and iOS remotes.

**Play MKVs, AVIs, MP4s, MP3s...**

Videostream supports over 400 video and audio codecs out of the box.  
This means you can **play almost any video on your Chromecast!**

**...with no setup**

There's no pesky library setup or servers to install.  
There's no accounts to create or codecs to download.  
**Just choose a video and ...no really, that's it!**  
Start watching any video on your Chromecast in seconds, Install the Desktop App now!

Frozen © 2013 Walt Disney Animation Studios (G)

Suits © 2011-2015 Universal Cable (TV-14)

**Playlists, Subtitles, & Rainbows,  
Premium is Awesome.**

done

**Playlists:** Binge watch your favourite shows using playlists in Chrome

done

**Subtitles:** Get extra settings to change subtitle size and color

done

**Notifications:** Notifications on Android when your downloads finish

done

**Love:** Support (and feed!) our team of 7 developers in Canada! <3

**Start watching downloads on your Chromecast!**

**"It's the perfect app to stream your media to your Chromecasts"**

"No fiddling about with extra services, just find the file you want and have it play in the big screen." - Gizmodo

**It transformed my Chromecast from a Netflix and YouTube machine to a watch-whatever-I-want-machine. Which is great!**

\- Shonda, Videostream User

**Let me start by saying that I recently bought the lifetime premium membership and I absolutely love Videostream. It is my favorite thing in the world after pizza and Coca-Cola.**

\- Aldo, Videostream Premium User

**I have a very large movie collection on a networked drive, and it never fails to load the movies, cast them, load subtitles, etc. It's a piece of technology and media genius, so thank you all.**

\- Eliza, Videostream User

**I just wanted to say how much I love Videostream. I use it almost every day. Now that I can select files right from my phone, it is a completely hassle free experience.**

\- Rezaan, Videostream User

**People love Videostream. Try it yourself for free!  
**

**7 developers in Canada eh!?**

Just bunch of Canucks coding for the love of perfect streaming video <3

**Frequently Asked Questions**

Got questions? We have answers (if your answer isn't below, email us!)

**Do you play \_\_\_ files? (MKV, MP4, AVI, WMV...)**

Yup!! Videostream supports over 400 audio and video codecs so with almost complete certainty, yes.

**How much does it cost?**

Nothing, zip, zilch, nada, Videostream is completely free! If you're enjoying Videostream and want some extra features like playlists, extra subtitle settings, night mode, autoplay, and more, then Videostream Premium is for you!

**I have slow internet, will Videostream work?**

You bet! Since you are streaming video from your computer directly to your Chromecast or AndroidTV, Videostream doesn't use any of your internet bandwidth! That means no extra usage on your bill, no slowed down traffic on other devices.

**How do I setup Videostream?**

It's super simple! Open Google Chrome and then install Videostream. If you have an iPhone or Android phone you can check out our remote controls on those apps stores too!

**Does Videostream have playlists?!**

Is maple syrup sweet?! You bet! Playlists let you binge watch movies, tv shows, and even listen to music on your Chromecast. You can even shuffle or repeat your playlist! Grab your playlists in Videostream Premium, download and upgrade in the Desktop or Android App today!

**What if I have another question?**

Email us at \[email protected\]! Our awesome support bro Andrew will be sure to email you back with answers to your questions, solutions to your problems, and a random selection of cat pictures and gifs!

**Come on, it's what you bought your Chromecast for!**

CVE-2023-25394: What you bought your Chromecast for.

Incorrect access control in Videogo v6.8.1 allows attackers to bind shared devices after the connection has been ended.

Permalink

Cannot retrieve contributors at this time

**com.videogo 6.8.1 has Incorrect Access Control****Vulnerability Type:**

Incorrect Access Control

**Vulnerability Version:**

6.8.1

**Recurring environment**

≥Android 7.0

**Vulnerability Description AND recurrence:**

When someone shares the device, the cloud service sends the password of the device to the user  Although the device owner unshares the device, the user can still bind the device with the device number and device password

CVE-2023-31678: record/yingshi_devicekey.md at main · zzh-newlearner/record

Insecure permissions in luowice 3.5.18 allow attackers to view information for other alarm devices via modification of the eseeid parameter.

Permalink

Cannot retrieve contributors at this time

**com.generalcomp.luowice 3.5.18 has Insecure Permission****Vulnerability Type:**

Insecure Permission

**Vulnerability Version:**

3.5.18

**Recurring environment**

≥Android 7.0

**Vulnerability Description AND recurrence:**

 Modify "eseeid" to any other field and use BASE64 encoding to access alarm information for different devices  The "img\_url" in the response body is decoded by BASE64 and is the image taken in the alarm message of the device, which is not further used for ethical reasons

CVE-2023-31677: record/luowice.md at main · zzh-newlearner/record

Incorrect access control in Videogo v6.8.1 allows attackers to access images from other devices via modification of the Device Id parameter.

Permalink

**1** contributor

**Users who have contributed to this file**

**com.videogo 6.8.1 has Incorrect Access Control****Vulnerability Type:**

Incorrect Access Control

**Vulnerability Version:**

6.8.1

**Recurring environment**

≥Android 7.0

**Vulnerability Description AND recurrence:**

When obtaining alarm information, the device ID is included in the request, The picture in the response is in the Location field   After changing the device ID, you can get the image URL of the corresponding device  With this URL, you can access the alarm image without permission

CVE-2023-31679: record/yingshi_privacy.md at main · zzh-newlearner/record

Use after free in Autofill UI in Google Chrome on Android prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Tag

#android