--- title: "Android’s Guerrilla Malware: Risks – Cybersecurity News | Phish Protection" description: "Are Android devices safe to use? The answer could be ‘Yes’ or ‘No’ given the Guerrilla malware implanted in many Android devices by the Lemon Group." image: "https://phishprotection.com/og/blog/cybersecurity-updates-for-the-week-20-of-2023.png" canonical: "https://phishprotection.com/blog/cybersecurity-updates-for-the-week-20-of-2023/" --- Quick Answer Are Android devices safe to use? The answer could be ‘Yes’ or ‘No’ given the Guerrilla \[malware\](/content/protection-against-malware/malware-protection) implanted in many \*\*Android devices\*\* by the Lemon Group. Read on to know more. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-20-of-2023%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Android%26%238217%3Bs%20Guerrilla%20Malware%3A%20Risks%20%26%238211%3B%20Cybersecurity%20News&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-20-of-2023%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-20-of-2023%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-20-of-2023%2F&title=Android%26%238217%3Bs%20Guerrilla%20Malware%3A%20Risks%20%26%238211%3B%20Cybersecurity%20News "Share on Reddit") [ ](mailto:?subject=Android%26%238217%3Bs%20Guerrilla%20Malware%3A%20Risks%20%26%238211%3B%20Cybersecurity%20News&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-20-of-2023%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/05/phishing-prevention-tips-1788.jpg) Are Android devices safe to use? The answer could be ‘Yes’ or ‘No’ given the Guerrilla [malware](/content/protection-against-malware/malware-protection) implanted in many **Android devices** by the Lemon Group. Read on to know more. Android is easy to use but could also be **risky** sometimes. The latest update on [phishing protection](/) reveals that cyber threat actors known as the Lemon Group are using[Guerrilla malware](https://www.bleepingcomputer.com/news/security/cybercrime-gang-pre-infects-millions-of-android-devices-with-malware/)to infect domestic Android devices and create **data privacy** issues. The activities include loading additional payloads, **intercepting OTPs** from SMSs, hijacking WhatsApp sessions, and setting up [reverse proxy](https://www.makeuseof.com/what-is-reverse-proxy-how-does-it-work/) accounts from infected devices. _Besides your smartphone, many other devices, such as TVs, smartwatches, and music players, could be running on Android software._ ### The Guerrilla Malware The[Guerrilla malware](https://www.trendmicro.com/en%5Fus/research/23/e/lemon-group-cybercriminal-businesses-built-on-preinfected-devices.html)gets its name from guerrilla warfare tactics adopted by yesteryear’s warriors. Threat actors attack the most **vulnerable systems**, with the owner unaware of how and when the attack occurs. [Threat actors](/phishing/threat-actors-target-western-digital-cripple-its-my-cloud-service) like Lemon Group specialize in infecting Android devices, especially those **re-flashed with new ROMs**. This malicious group has infected millions of Android smartphones, smartwatches, smart TVs, and other devices working on Android software. ![Phishing prevention tips](https://media.mailhop.org/phishprotection/images/2023/05/phishing-prevention-tips-1788.jpg) ### How Does Guerrilla Malware Work? > “over 90% of ransomware attacks begin with a phishing email ([Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)) email. Blocking the phishing email is the most effective ransomware prevention strategy available - it stops the attack at the earliest possible stage, before any malware reaches your network. Every ransomware incident we’ve investigated started with an email that should have been caught.” - **Vasile Diaconu**, Operations Lead, DuoCircle The Guerrilla infection converts the **infected devices** into [mobile proxies](https://geonode.com/blog/what-are-mobile-proxies) for stealing user credentials, OTPs, SMS messages, social media interactions, and online messaging accounts. Additionally, the Guerrilla malware enters these devices through supply chain attacks, **compromised firmware** updating processes, vulnerable third-party software, or through listing the services of third parties on the product manufacturing or distribution chain. _Reports show that new Android smartphones come with the modified [firmware](https://thehackernews.com/2022/11/new-uefi-firmware-flaws-reported-in.html) **already implanted** by the Lemon Group._ It is possible because of the proliferation of many cheap Chinese Android mobile phone models in the market. Users get excited by attractive sales gimmicks and purchase cheap smartphones from roadside vendors. These devices are the **most vulnerable** to Guerrilla malware. The affected devices have a modification on the ‘libandroid\_runtime.so’ system that contains an additional code for decrypting and executing a [DEX file](https://www.reviversoft.com/en/file-extensions/dex#:~:text=Developers%20with%20Microsoft%20Windows%2Dbased,with%20associated%20DEX%20executable%20files.). The DEX file code loads into the memory and activates the main plugin used by the attackers when the system executes the **Android Runtime operation**. ### The Different Plugins of Guerrilla Malware The Guerrilla Malware loads the below-mentioned **plugins** for carrying out malicious activities. - **SMS Plugin**, For intercepting OTPs received through SMS - **Cookie Plugin**, Dumps cookies from the directory of **app data** and exfiltrates them to the C2 server. Besides, it hijacks WhatsApp sessions to steal messages - **Proxy Plugin**, Sets up a reverse proxy on the target’s phone, enabling [malicious actors](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails) to exploit the victim’s network resources - **Splash Plugin**, For displaying intrusive advertisements when users access legitimate applications - **Silent Plugin**, Installs additional [APKs](https://www.makeuseof.com/tag/what-is-apk-file/) received from the C2 server and uninstalls applications as instructed Lemon Group has established a **monetization strategy** using such plugins, including selling compromised accounts, offering app installation and proxy services, SMS and **PVA services**, and hijacking network resources. ### Global Impact As Asians use the maximum number of [Android devices](https://cybernews.com/news/fake-telegram-app-android/), Asian countries are the **most affected** by Guerrilla malware. However, devices in the American continent and other Western countries have also been affected. However, Asia continues to dominate, with nearly 55.26% of the total affected devices found in countries like Indonesia, Thailand, etc. The American continent accounts for 30.89% of the total cases. The Oceania region comprising Australia and New Zealand is the least affected. ![Spear phishing protection](https://media.mailhop.org/phishprotection/images/2023/05/spear-phishing-protection.jpg) These figures are indicative, and the number of affected devices could be **higher**. Many devices might not have communicated with the attacker’s [C2 servers](https://www.feroot.com/education-center/what-is-a-command-and-control-c2-server/#:~:text=A%20command%2Dand%2Dcontrol%20%28C2%29%20server%20is%20a,%2C%20malicious%20scripts%2C%20and%20more.) yet, for they might not have yet been purchased. ### Final Words So, is purchasing an Android device unsafe? The answer is ‘No’ if you purchase them from reputed showrooms selling **genuine products**. However, if you compromise quality for the price and buy cheap models, you might pay a heavy price later by letting the Guerrilla malware into your network systems and allowing it to wreak [havoc](https://www.newstalkzb.co.nz/news/world/hacker-steals-288-000-frequent-flyer-points-for-bali-holiday/) on your information assets . ### Protect Your Organization - [Learn how phishing attacks work and how to spot them](/learn-what-is-phishing/) - [See how Phish Protection blocks threats in real time](/anti-phishing-tools/) ## Topics [ Announcements ](/tags/announcements/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 5m Cybersecurity Updates For The Week 33 of 2022 Aug 22, 2022 ](/blog/cyber-security-news-update-week-33-2022/)[ Intermediate 6m Cybersecurity Updates For The Week 41 of 2022 Oct 21, 2022 ](/blog/cybersecurity-news-21-oct-2022/)[ Intermediate 5m Cybersecurity Updates For The Week 1 of 2021 Jan 1, 2021 ](/blog/cybersecurity-updates-for-the-week-1-of-2021/)[ Intermediate 6m Cybersecurity Updates For The Week 1 of 2022 Jan 7, 2022 ](/blog/cybersecurity-updates-for-the-week-1-of-2022/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Android’s Guerrilla Malware: Risks – Cybersecurity News","description":"Are Android devices safe to use? The answer could be ‘Yes’ or ‘No’ given the Guerrilla malware implanted in many Android devices by the Lemon Group.","url":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-20-of-2023/","datePublished":"2023-05-15T06:16:25.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-05-15T06:16:25.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-20-of-2023/"},"articleSection":"intermediate","keywords":"Announcements","wordCount":678,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/05/phishing-prevention-tips-1788.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Android’s Guerrilla Malware: Risks – Cybersecurity News","item":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-20-of-2023/"}]} ```