Some cheap Android phones in South Africa have preinstalled malware that steals WhatsApp accounts

Trend Micro security researchers have presented their investigation into a cybercriminal gang they’ve named “Lemon Group” at Black Hat Asia 2023.

Among their findings was that South Africa is in the top 10 countries where cheap Android smartphones come pre-infected with the Guerilla malware. It outranks India.

According to the researchers, this is a mobile supply chain attack where threat actors implant malware into smartphone firmware that gets used in cheap Android smartphones.

The malware features several “plugins” that allow the attackers to basically do whatever they want on the phone, including hijacking WhatsApp accounts, intercepting one-time PINs (OTPs), and silently installing and uninstalling apps.

The researchers, Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares, said they detected over 490,000 mobile numbers used for generating or intercepting SMS OTP requests.

From these detections, they identified over 50 brands of mobile devices infected with Guerilla malware.

They did not disclose which brands these were but said one was a “copycat” brand that clones premium devices from leading mobile device companies.

MyBroadband contacted the researchers for more information and will update this article if we receive any feedback.

In addition to hijacking WhatsApp accounts and silently installing and launching apps, the researchers said the malware could harvest personal information from Facebook like friends lists, profile information, and email addresses.

A big moneymaker for Lemon Group, since rebranded “Durian Cloud SMS”, is its ability to generate SMS phone-verified accounts using the phone numbers of people whose devices were pre-infected with the Guerilla malware.

The top ten countries where the researchers detected these infections were:

1. US
2. Mexico
3. Indonesia
4. Thailand
5. Russia
6. South Africa
7. India
8. Angola
9. Philippines
10. Argentina

Lemon Group’s criminal enterprise using plugins. Source: Trend Micro/Fyodor Yarochkin, Zhengyu Dong, Paul Pajares

“Following our timeline estimates, the threat actor has spread this malware over the last five years,” the researchers stated.

“A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users.”

Trend Micro’s report is reminiscent of a 2020 investigation by Upstream and Buzzfeed News which also found cheap pre-infected Android devices across the whole African continent, including South Africa.

In that case, it was the Tecno W2 that came pre-infected with the xHelper and Triada malware.

Now read: Department of Justice nailed for negligence after ransomware attack

Subscribe to our daily newsletter

Some cheap Android phones in South Africa have preinstalled malware that steals WhatsApp accounts