Malware menace has been aggravating with advances in technology, causing concern among users of smart devices. The usual warning about not to click on suspicious links or open dubious e-mails may not be enough if the latest reveal by cybersecurity company Trend Micro is any indication. An organisation has been suspected of pre-installing a malware, named ‘Guerilla,’ on nearly 9mn TV boxes, TVs, watches, and smartphones; all Android. Guerilla is employed to carry out a range of malicious actions, including intercepting single-use passwords, hijacking the user’s WhatsApp sessions, and establishing reverse proxies. The infections are globally spread across in over 180 countries, with over 50 brands of mobile devices compromised by the malware.
According to the findings presented by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week, during their investigation, Trend Micro analysts discovered a connection between the suspect organisation’s infrastructure and the notorious Triada Trojan campaign since the year 2016. The Triada Trojan, a malicious software specifically designed for banking fraud, was discovered to be installed pre-sale on several Android smartphones produced by certain budget brands. The comprehensive report by Trend Micro provides further insights into the operational strategies employed by the perpetrator. Though involved in various ventures such as big data analysis, marketing, and advertising, their core objective revolves around harnessing the power of big data. They utilise this data to scrutinise shipments of the manufacturers, acquire intricate data for tailored promotions for software, and amass ad content sourced from diverse users.
The Trend Micro report explains that by infecting millions of Android devices, the suspect organisation effectively converts them into mobile proxies, facilitating the illicit trade of stolen SMS messages, compromised social media accounts, and active participation in fraudulent advertising schemes. Though the exact methods employed to infect devices remain undisclosed, Trend Micro clarifies their analysts have confirmed that infected devices have undergone a process called re-flashing, where the original ROMs have been replaced with modified versions containing the Guerilla malware. The researchers identified over 50 distinct infected ROMs, targeting various Android device manufacturers. Guerilla functions as a plugin that integrates various added plugins to carry out specific tasks. These functionalities encompass intercepting single-use passcodes sent via SMS for widely used platforms such as WhatsApp and Facebook. Another plugin sets up a reverse proxy, enabling cybercriminals to gain unauthorised access to the victim’s network resources. Moreover, additional plugins specialise in pilfering Facebook cookies, hijacking the users’ WhatsApp sessions to propagate unsolicited messages, showcasing intrusive advertisements while users engage with legitimate applications, and quietly installing or deleting apps as the malware directs.
The accurate number of Android devices infected with Guerilla malware is suspected to be higher since some devices have yet to establish connections with the attackers’ command and control servers. Through vigilant monitoring of the suspect organisation’s activities, cybersecurity experts from Trend Micro have identified a staggering total of more than 490K mobile numbers that are connected to requests for one-time passwords used in SMS-based services like JingDong, WhatsApp, QQ, Line, Facebook, and Tinder. This vast number of compromised devices, all linked to a single service, serves as a striking testament to the worldwide impact and scale of the cybercriminal syndicate’s malicious endeavours – worrying indeed.