Lemon Group

Lemon Group is an Android-focused threat actor associated in the provided content with large-scale mobile-device monetization and abuse. The content states the group later rebranded as Durian Cloud SMS after Trend Micro published research on its operations in February 2022; in May, the operators removed some traces of the Lemon name while keeping the same servers intact. The content also places Lemon Group among the groups associated with BADBOX 2.0. According to the provided material, Lemon Group used multiple Android malware plugins to monetize infected devices through SMS interception, proxy services, account hijacking, ad fraud, and silent app installation or removal. Its SMS capability intercepted received SMS messages and extracted one-time passwords from services including WhatsApp, JingDong, Facebook, QQ, Line, and Tinder, supporting an SMS PVA business that provided phone numbers and OTP features to customers. A proxy plugin established reverse proxies on infected phones and enabled abuse of compromised devices’ network resources, supporting the operators’ DoveProxy business. A cookie plugin hooked Facebook-related apps, dumped Facebook cookies from app data directories, uploaded stolen cookies to command-and-control infrastructure, and harvested Facebook-related data including friends lists, profiles, and email addresses. A WhatsApp plugin was used to hijack WhatsApp sessions and send unwanted messages. The content states the cookie and WhatsApp plugins were used for overseas marketing operations, including posting marketing content through compromised Facebook accounts. Additional plugins displayed intrusive ads by hooking app launch activity and silently installed or uninstalled APKs based on command-and-control tasks. The provided content says monitoring identified more than 490,000 mobile numbers used for OTP requests tied to Lemon SMS and later Durian SMS services, and that infected devices under the actor’s control were observed in more than 180 countries. The most affected countries listed were the United States, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. Known aliases directly mentioned in the content: Durian Cloud SMS.