In 2016, Triada malware was reportedly implanted into several devices, and in 2019 Google confirmed a case of OEM image being used by third party vendors without notifying the OEM company. These apps were accompanied by a silent plugin that pushed apps to the victim's device whenever they wanted. These became rampant as phones got infected when threat actors implanted unwanted apps to monetize pay-per-install schemes. In time, threat actors turned to reflashing and silent installation as techniques for malicious activities. Developers, hobbyists, and enthusiasts knowledgeable and keen on improving their respective devices did this to maximize the features of their respective phones and/or customize their ROMs for better hardware, user experience, or battery life performance, among other purposes. The ROM image of phones can be reflashed to modify the said image with new software features, firmware updates, or arrive preinstalled to run a different operating system (OS) from the original. Around 2010, reflashing (described as reprogramming and/or replacing the existing firmware of a device with a new one) and silent installation became common. The size of the mobile device market has reached the billions, and it is estimated to reach 18 billion by 2025. This blog post provides a glimpse of the money-making business and monetization strategies built on top of the preinfected devices marketed and sold by one of the threat actor groups we named “Lemon Group.” It also gives an overview of how these devices were infected, the malicious plug-ins used, and the groups’ professional relationships. In the full research we just presented at the Black Hat Asia 2023 conference in May, we identified the full details of other systems used by the threat actors, their companies and other commercial front ends in operation, monetization channels, Telegram groups, and employee profiles. The illicit entity "Lemon Group" identified here should not be confused with legitimate organizations.įollowing a report of mobile devices being used for a fraud campaign, we analyzed one of the devices preloaded with two different loaders capable of downloading other components from two different threat groups. Note: This group's name is a generic identification based on components found during our investigation, and it might be used by other legitimately registered companies that legally render services and products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |