Hackers Deploy Malware To Gigaset Android Phones With Malicious Update

Gigaset Android phones have become a victim of a serious supply-chain attack. Reports reveal that Gigaset suffered a cyberattack that let the attackers deploy malware to Gigaset Android phones via malicious updates.

Gigaset Android Phones Malicious Update

The German communication technology giant Gigaset has fallen prey to a devastating cyberattack. Consequently, Gigaset Android users suffered a malware attack after a malicious update ruined their phones.

The news surfaced online after Gigaset Android phone users started complaining of weird behavior on their phones. Toward the end of March, some Gigaset handsets repeatedly displayed ads and opened web browsers without user interaction. Inspecting the phones revealed the presence of some unidentified apps on the devices.

According to one such complaint, the victim noticed the presence of “easenf” app on the phone. The app kept reappearing on its own even after deletion. In response, numerous other users also complained of the same.

Besides, the German media also reported the same, whilst elaborating that the easenf app reached the devices via the default system update app.

About the malware

Following the reports, Malwarebytes Labs stepped up to analyze the campaign.

As per their analysis, the culprit behind this malware campaign was the package “com.redstone.ota.ui”. This package serves as an app updater. It exists as a system app to hide within the handsets.

This malicious package installs three versions of the malware downloader Android/Trojan.Downloader.Agent.WAGD, which then installs other malicious packages alongside executing other activities such as sending malicious messages via Whatsapp or SMS, possibly to spread the infection. Moreover, the malware can also download other malicious apps, and display game ads.

Android/Trojan.Downloader.Agent.WAGD is capable of sending malicious messages via WhatsApp, opening new tabs in the default web browser to game websites, downloading more malicious apps, and possibly other malicious behaviors. The malicious WhatsApp messages are most likely in order to further spread the infection to other mobile devices.

Also, another package “Android/PUP.Riskware.Autoins.Redstone” also functioned like an app updater. This package is basically an auto-installer that also infects a few other handsets from different vendors. These include,

  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0

Gigaset Confirmed The Cyberattack

According to Borncity, Gigaset has confirmed that the malware did arise from one of the official updates. It so happened because some criminal hackers hacked one of the company servers.

Whereas, Gigaset also provided the following statement to Bleeping Computer, suggesting some workarounds as well.

During routine control analyses we noticed that some older smartphones are having problems with malware. This finding was also confirmed by individual customers after enquiries were made. We immediately started investigating the incident intensely by working closely with IT forensic experts and the responsible authorities. In the meantime we were able to identify a solution to the problem.

Only older smartphone models of the GS100, GS160, GS170, GS180, GS270 (plus) and GS370 (plus) series are potentially affected.

Not affected by this incident are the smartphone models of the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 series.

According to our latest information only some devices from the affected product lines were infected. Only devices on which the software updates provided by Gigaset in the past were not carried out by the user are affected. Malware was installed on these devices by a compromised server belonging to an external update service provider.

Gigaset took immediate action and contacted the update service provider. The update service provider also took immediate action and confirmed to Gigaset that the infection of smartphones could be stopped on 7 April.

Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data). We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within 8 hours.

Suggested Workaround

Explaining further, Gigaset confirmed the following devices and software versions to have potentially suffered this issue.

  • GS160: all software versions
  • GS170: all software versions
  • GS180: all software versions
  • GS100: up to version GS100_HW1.0_XXX_V19
  • GS270: up to version GIG_GS270_S138
  • GS270 plus: up to version GIG_GS270_plus_S139
  • GS370: up to version GIG_GS370_S128
  • GS370 plus: up to version GIG_GS370_plus_S128

Following the next update with the patch, the users should be able to get rid of this Android malware. Nonetheless, Gigaset has also advised manual removal of any of the following apps (if found on the device) as workaround.

  • Gem
  • Smart
  • Xiaoan
  • asenf
  • Tayase
  • yhn4621.ujm0317
  • wagd.smarter
  • wagd.xiaoan

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil