Guerrilla Malware developed and distributed by cybercriminal gang Lemon Group, It is infecting Android devices including TV Boxes, Smartphones, Mobile devices TV.
It can load additional payloads, intercept one-time passwords from SMS texts, set up a reverse proxy from the infected device, and infiltrate WhatsApp sessions. Using this malware hackers can steal critical information's from your device like OTP, social media information's, session details, Login Id , passwords via advertisements and click fraud explained by Trend Micro researchers.
These infected devices already distributed globally, with the malware installed on devices and its shipped to more than 180 countries including the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, Philippines, and Argentina.
The installation of malware on Android devices can occur when manufacturers hire third parties to enhance standard system images. Trend Micro noted that a company that produces the firmware components for mobile phones also produces similar components for Android Auto, a mobile app similar to an Android smartphone used on vehicles’ dashboard information and entertainment units.
Trend micro researchers bought some of the compromised devices and extracted their ROM to analyze and found something “We found a system library called libandroid_runtime.so that was tampered to inject a snippet code into a function called println_native,” Trend Micro said in its report.
This infected code decrypts a DEX file which is used by operating system to execute the bytecodes. This file activates the main plugins used by hackers to retrieve your information.
The Guerilla malware can load additional plugins that carry out specific tasks, such as:
SMS plugin: This plugin is made to steal the one-time passwords sent via SMS for WhatsApp, JingDong, and Facebook.
Proxy plugin and proxy seller: With this plugin, attackers can use the victim's network resources by setting up a backward proxy from the infected phone.
Cookie plugin/WhatsApp plugin/Send plugin and promotion platform: The Cookie Plugin extracts Facebook cookies and sends them to a central server. The compromised device can then take control of WhatsApp sessions and send unwanted messages.
Splash plugin: This type of malware displays annoying ads while users are using official apps.
Silent Plugin: This tool silently installs additional apps or removes existing ones based on instructions from a central server. The process happens in the background without the user noticing.
Here is how to stay safe and protect your phone.
Download apps from trusted sources: Use Google Play Store on Android and Apple App Store on iPhone. There are other third-party app stores, which can contain malware-infected apps that can steal your personal information or financial data.
Read app permissions: When you install an app, it will ask for certain permissions. These permissions allow the app to access certain features of your device, such as your contacts, photos, and location. It is important to carefully review the permissions that an app is requesting before you grant them. Sometimes, these apps have hidden continents or access data, locations, or others which we often ignore.
Keep your software up to date: Companies like Google and Apple timely release software updates for their app stores. Software updates include security patches that can help to protect your device from malware. It is important to install software updates as soon as they are available.
Signs if your device is infected with malware:
Some of the signs of malware infection include unusual battery drain, pop-up ads, unexplained changes to your device settings, and more. If you notice any of these signs, it is important to scan your device for malware.