Guerrilla Malware Found Preinstalled on Many Android Phones: How it Works

Mobile

Android smartphones from various manufacturers have reportedly been found to be infected with malware out-of-the-box, affecting users from multiple countries including India, Indonesia, Mexico, Thailand, Russia, and the US. The software can compromise the affected user’s privacy and lead to a poor user experience due to excessive battery usage. The Guerrilla malware can also update itself and implant additional software on the victim’s phone to collect personal data and inject ads into regular apps, according to security researchers.

Security firm Trend Micro recently reported that around 8.9 million Android phones were infected with the Guerrilla malware, adding that handsets from over 50 manufacturers were affected. The research was presented at the recently concluded Black Hat Asia 2023 security conference. The malware operator behind the Guerrilla malware reportedly has similarities with the Triada malware that was detected on phones in 2016.

The malware, which is preinstalled on these phones, can negatively impact a user’s experience including battery drain and use of resources like the phone’s processing power. as per the report. It is worth noting that the security firm has not mentioned any of the manufacturers or models affected by the malware. The Guerrilla malware was first detected on smartphones in 2018, and the malware was detected on apps downloaded via the Google Play store.

According to details shared by Trend Micro, the Guerrilla malware can install additional malicious software via a command and control (C&C) server controlled by the attacker known as the Lemon Group. These “modules” can collect user data to be sold to advertisers, inject ads to gain revenue, and use up the resources on the victim’s phone. The malware is also capable of controlling popular messaging app WhatsApp, allowing it to send texts for “overseas marketing”, according to the report.

The report states that smartphones from Asia and North America were impacted the most with 55.26 percent and 16.93 percent of all devices affected, respectively. Countries that were most affected by malware are the Angola, Argentina, India, Indonesia, Mexico, Russia, South Africa, Thailand, the Philippines, and the US.

While Trend Micro says that its investigation was aimed at smartphones, other IoT devices like Android TV and smart TV boxes, entertainment systems, and Android-based watches for children have also been infected by the Lemon Group. The security firm estimates that the malicious software has been spread to smartphones in several countries over a period of five years, likely translating to a significant profit for the Lemon Group behind the malware.


Google I/O 2023 saw the search giant repeatedly tell us that it cares about AI, alongside the launch of its first foldable phone and Pixel-branded tablet. This year, the company is going to supercharge its apps, services, and Android operating system with AI technology. We discuss this and more on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated – see our ethics statement for details.