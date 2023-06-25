Smartphones from ZTE, MiOne, Meizu, Oppo, Huawei, and HTC are among the devices that have been sold pre-infected with Guerilla malware, Trend Micro security researchers have found.

The malware’s features include intercepting one-time PINs sent via SMS, allowing attackers to hijack people’s WhatsApp accounts.

It can also silently install and launch apps, and harvest personal information from Facebook like friends lists, profile information, and email addresses.

Trend Micro security researchers Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares presented the findings of their investigation into the “Lemon Group” cybercriminal gang last month.

Among their discoveries was that South Africa is in the top 10 countries where cheap Android smartphones come pre-infected with the Guerilla malware suite.

South Africa outranked much larger countries, including India.

Following the initial report, the researchers have told MyBroadband that they observed 29,911 unique mobile numbers from South Africa used in the phone-verified accounts business of Lemon Group.

A big moneymaker for Lemon Group, since rebranded “Durian Cloud SMS”, is exploiting devices pre-infected with Guerilla malware to generate phone-verified accounts (PVA).

This uses the phone numbers of people whose devices are pre-infected to create accounts on various platforms and verify them via SMS.

Twitter and Twitch are examples of services that require phone number verification to access certain features. This verification typically happens via SMS OTP, which Guerilla can intercept.

Such phone-verified accounts can be valuable to malicious actors and others who don’t want to potentially expose their identity.

Although the unique phone numbers in Lemon Group’s PVA database aren’t totals for the number of pre-infected phones, the researchers explained that it gives an indication.

To give an idea of where South Africa sits relative to other countries, there were 29,848 Russian numbers in the database and 25,036 Indian numbers.

They were ranked sixth and seventh. South Africa was fifth.

The United States had the most phone numbers in the database — 69,778, followed by Indonesia (45,102), Mexico (44,119), and Thailand (39,656).

Trend Micro’s report is reminiscent of a 2020 investigation by Upstream and Buzzfeed News which also found cheap pre-infected Android devices across the whole African continent, including South Africa.

In that case, it was the Tecno W2 that came pre-infected with the xHelper and Triada malware.

Although the researchers couldn’t say which infected devices were most prevalent in South Africa, they did provide a chart from findings published last year of the most-affected brands and models.

Two of the biggest culprits were the ZTE Blade III and Lava Iris 88 series.

However, the ZTE Blade III is an ancient device — launched in 2012 — and there is no evidence that it was sold in South Africa.

We could also not find local product listings for the Lava Iris 88, MiOne, or HTC One X9.

Although that doesn’t mean white-labelled or differently-branded versions of these devices didn’t make it onto the market, the researchers listed Huawei and Oppo devices that were definitely sold here.

These include the Huawei P9, P10, P20 Pro, and Mate 20 Pro; and the Oppo A57.

Some old catalogue listings for the Meizu V8 suggest it may also have been sold in South Africa.

It should be noted that devices being pre-infected with malware does not necessarily mean the manufacturer was complicit.

The fact that so many brands are affected suggests that a vendor (or vendors) that sit downstream of all of them was the likely point of compromise.

In the Tecno W2 case in 2020, the manufacturer, Transsion, blamed an unidentified vendor in their supply chain.

Such supply-chain attacks have been employed to devastating effect.

For example, a financial package called M.E.Doc was compromised in 2017 and used to spread ransomware called NotPetya.

Although the virus initially seemed to target Ukrainian institutions, it reportedly affected over 2,000 companies in several countries — including South Africa.