reports that nearly 9 million Android smartphones, TVs, TV boxes, and watches across 180 countries have been pre-infected by the Lemon Group cybercrime operation with the Guerilla malware, which could facilitate additional payload delivery, reverse proxy creation, and WhatsApp session takeovers.
Most of the impacted devices were found in the U.S., Mexico, Russia, Indonesia, and Thailand, according to a Trend Micro report presented at the BlackHat Asia conference.
Initial malware loaders have been deployed by Lemon Group, which has been using infrastructure overlapping with the Triada banking trojan
, to infect more than 50 ROMs across various Android device vendors. Researchers also discovered that Guerilla malware has a main plugin featuring other plugins for obtaining one-time passwords, establishing a reverse proxy, showing unwanted apps, and installing more APKs.
"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," said Trend Micro.