top of page


  • Marijan Hassan - Tech Journalist

Millions of smartphones are preinstalled with malware before shipping

Cybersecurity company Trend Micro has revealed that millions of Android devices are being shipped preinstalled with malware that allows threat actors to take remote control of the device. This is not the first such incidence.

In 2016, researchers unmasked a similar operation involving the Triada trojan and Trend Micro believes the new malware dubbed Guerrilla is related to the Triada trojan. The cybersecurity company has been tracking the incident since 2021 and has attributed the operation to a cyber gang named Lemon Group.

However, the group changed the name of its operation from Lemon to Durian Cloud SMS last year when it was exposed by Trend Micro. The company says that it discovered the malware after acquiring a phone and extracting its ROM image for a forensic investigation.

The security researchers said that the motivation behind the infection is to profit from selling collected data to marketing and advertising companies. On its website, Lemon Group indicated that it had access to 8.9 million devices. That number is bound to have increased significantly by now.

“While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilisation of big data: analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push,” Trend Micro said.

“This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions,” it added.

However, what makes the malware even more dangerous is that it can be used to fetch and run other malicious programs to capture SMS messages (including one-time passwords), set up a reverse proxy on infected phones, harvest application data, hijack applications such as WhatsApp to send messages, and deliver ads when launching official apps.

The top 10 countries where the infected phones have been shipped include the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.


bottom of page