{"id":51956,"date":"2023-05-17T22:00:00","date_gmt":"2023-05-17T22:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/threat-actor-millions-pre-infected-android-phones-cybercrime-enterprise"},"modified":"2023-05-17T22:00:00","modified_gmt":"2023-05-17T22:00:00","slug":"lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/","title":{"rendered":"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise"},"content":{"rendered":"
<\/div>\n

Millions of Android phone users around the world are contributing daily to the financial wellbeing of an outfit called the Lemon Group, merely by virtue of owning the devices.<\/p>\n

Unbeknownst to those users, the operators of the Lemon Group have pre-infected their devices before they even bought them. Now, they’re quietly using their phones as tools for stealing and selling SMS messages and one-time passwords (OTPs), serving up unwanted ads, setting up online messaging and social media accounts, and other purposes.<\/p>\n

Lemon Group itself has claimed it has a base of nearly 9 million Guerrilla-infected Android devices that its customers can abuse in different ways. But Trend Micro believes the actual number may be even higher.<\/p>\n

Building a Business on Infected Devices<\/h2>\n

Lemon Group is among several cybercriminal groups that have built profitable business models around pre-infected Android devices in recent years.<\/p>\n

Researchers from Trend Micro first began unraveling the operation when doing forensic analysis on the ROM image of an Android device infected with malware dubbed “Guerrilla.” Their investigation showed the group has infected devices belonging to Android users in 180 countries. More than 55% of the victims are in Asia, some 17% are in North America and nearly 10% in Africa. Trend Micro was able to identify more than 50 brands of \u2014 mostly inexpensive \u2014 mobile devices.<\/p>\n

In a presentation at the just concluded Black Hat Asia 2023, and in a blog post this week<\/a>, Trend Micro researchers Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares shared their insights on the threat that outfits like Lemon Group pose to Android users. They described it as a continuously growing problem that has begun touching not just Android phone users but owners of Android Smart TVs<\/a>, TV boxes, Android-based entertainment systems, and even Android-based children’s watches.<\/p>\n

“Following our timeline estimates, the threat actor has spread this malware over the last five years,” the researchers said. “A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users.”<\/p>\n

An Old but Evolving Malware Infection Issue<\/h2>\n

The issue of Android phones being shipped with malware pre-installed on them is certainly not new. Numerous security vendors \u2014 including Trend Micro, Kaspersky, and Google \u2014 have reported over the years on bad actors introducing potentially harmful applications at the firmware layer on Android devices.<\/p>\n

In many instances, the tampering has happened when an Android OEM, looking to add additional features to a standard Android system image, outsourced the task to a third-party. In some instances, bad actors have also managed to sneak in potentially harmful applications and malware via firmware over-the-air (FOTA) updates. A few years ago, most of the malware found preinstalled on Android devices were information stealers and ad servers.<\/p>\n

Typically, such tampering has involved inexpensive devices from mostly unknown and smaller brands. But on occasion, devices belonging to bigger vendors and OEMs have been impacted as well. Back in 2017 for instance, Check Point reported finding as many as 37 Android device models<\/a> from a large multi-national telecommunication company, pre-installed with such malware. The threat actor behind the caper added six of the malware samples to the device ROM so the user couldn’t remove them without re-flashing the devices.<\/p>\n

Pre-Installed Malware Gets More Dangerous<\/h2>\n

In recent years, some of the malware found pre-installed on Android devices have become much more dangerous. The best example is Triada, a Trojan that modified the core Zygote process<\/a> in the Android OSa. It also actively substituted system files and operated mostly in the system’s RAM, making it very hard to detect. Threat actors behind the malware used it to, among other things, intercept incoming and outgoing SMS messages for transaction verification codes, display unwanted ads and manipulate search results.<\/p>\n

Trend Micro’s research in the Guerrilla malware campaign showed overlaps \u2014 in the command-and-control infrastructure and communications for instance \u2014 between Lemon Group’s operations and that of Triada. For instance, Trend Micro found the Lemon Group implant tampering with the Zygote process and essentially becoming a part of every app on a compromised device. Also, the malware consists of a main plugin that loads multiple other plugins, each with a very specific purpose. Those include one designed to intercept SMS messages and read OTPs from platforms such as WhatsApp, Facebook, and a shopping app called JingDong.<\/p>\n

Plugins for Different Malicious Activities<\/h2>\n

One plugin is a crucial component of a SMS phone verified account (SMS PVA) service that Lemon Group operates for its customers. SMS PVA services basically provides users with temporary or disposable phone numbers they can use for phone number verification when registering for an online service, for instance, and for receiving two-factor authentication and one-time passwords for authenticating to them later. While some use such services for privacy reasons, threat actors like Lemon Group use them to enable customers to bulk register spam accounts, create fake social media accounts, and other malicious activities<\/a>.<\/p>\n

Another Guerrilla plugin allows Lemon Group to essentially rent out an infected phone’s resources from short periods to customers; a cookie plugin hooks to Facebook-related apps on the user’s devices for ad-fraud related uses; and a WhatsApp plugin hijacks a user’s WhatsApp sessions to send unwanted messages. Another plugin enables silent installation of apps that would require installation permission for specific activities.<\/p>\n

“We identified some of these businesses used for different monetization techniques, such as heavy loading of advertisements using the silent plugins pushed to infected phones, smart TV ads, and Google play apps with hidden advertisements,” according to Trend Micro’s analysis. “We believe that the threat actor’s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme.”<\/p>\n

Read More HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Lemon Group’s Guerrilla malware model an example of how threat actors are monetizing compromised Android devices, researchers say.Read More HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-51956","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"\nLemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-17T22:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise\",\"datePublished\":\"2023-05-17T22:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\"},\"wordCount\":984,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\",\"name\":\"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg\",\"datePublished\":\"2023-05-17T22:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage\",\"url\":\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg\",\"contentUrl\":\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/","og_locale":"en_US","og_type":"article","og_title":"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-17T22:00:00+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise","datePublished":"2023-05-17T22:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/"},"wordCount":984,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/","url":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/","name":"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg","datePublished":"2023-05-17T22:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltffee38f4596c0135\/64653f534e4c6e4e2f0e5f50\/android_Andri_wahyudi_shutterstock.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/lemon-group-uses-millions-of-pre-infected-android-phones-to-enable-cybercrime-enterprise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51956"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51956\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}