Skip to content

Lemon Group is allegedly selling pre-infected Android phones

  • by
  • 4 min read

Photo by Rafapress /

Millions of Android users around the world are being used for financial gains by the Lemon Group as the company hands out Android devices pre-infected with malware. Once such pre-infected devices are in the field, the operators use them to steal and sell SMS and OTP messages, set up online and social media accounts, show unwanted ads and every other thing you can do with an infected phone. 

Being one of the most profitable cybercrime groups around the globe, Lemon Group has built quite the business model out of its guerrilla malware infection. The operation first came to light during forensic analysis on an Android ROM infected with a malware aptly named “Guerrilla”. 

Total number of infected users till date and their breakup by region. | Source: Trend Micro

The Lemon Group itself claims that around 9 million such Android devices are currently online and are abusing customers in some manner. However, research from Trend Micro believes that the real number may be higher. Their investigation shows that Android users in 180 countries are infected with Lemon Group’s Guerilla malware.

More than 55% of these victims are in Asia, 17% in North America and 10% in Africa. The researchers were also able to identify more than 50 inexpensive smartphone brands that are being used to spread the malware further. 

Since then, the threat actors have been targeting more and more Android-based devices including Android Smart TVs, TV boxes, Android-based entertainment systems and even Android-powered watches. Trend Micro estimates that the group has been steadily infecting an increasing amount of phones for at least the last five years. 

An overview of the services offered by the Lemon Group enterprise. | Source: Trend Micro

Once the infected phone with the base malware reaches a customer, the Lemon Group has a number of plugins it uses to extract the required information. These include the following:

  • SMS plugin: Capable of intercepting incoming messages and reading specific messages including OTPs.
  • Proxy plugin and seller: This plugin sets up a reverse proxy from an infected phone to use the network resources of the target phone.
  • Cookie/Whatsapp/Send plugin and promotion platform: Hooks to Facebook-related apps and dumps cookies from the app data directory to the Command and Control server. The Whatsapp part of the plugin can hijack Whatsapp sessions to send unwanted messages. 
  • Splash plugin: Hooks to popular apps to intercept specific activities such as launch event request events from ads meaning victims see uncalled-for ads when launching legitimate apps. 
  • Silent plugin: gets a list of tasks from the Command and Control server including APK meta data and installs a target app on the victim’s phone. 

All these plugins come together to form a suite of enterprise offerings that Lemon Group then resells further. At the moment, Trend Micro has seen over 490,000 mobile numbers being used for OTP request of Lemon SMS and Durian SMS service — the two names the Lemon Group has used for the operation. Customers of Lemon SMS have generated OTPs from platforms like Whatsapp, Facebook, QQ, Line, Tinder and Jingdong among other popular apps. 

In the News: Logitech announces partnership with iFixit for DIY repairs

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: