Vendor has confirmed the security fracas following what may have been a supply chain attack
Gigaset smartphone users are being urged to temporarily suspend using their devices following the discovery of widespread malware deployment.
Earlier this month, German tech blogger Günter Born reported that users of Gigaset Android devices were experiencing issues commonly associated with malware infections, including browser redirections to gambling websites, WhatsApp blocks due to suspicious activity, Facebook account hijacking, rapid power drains, and other erratic behavior.
After reaching out to the vendor – formerly known as Siemens Home and Office Communications Devices – Gigaset confirmed that one of its update servers had been compromised at the beginning of April.
In what is known as a supply chain attack, threat actors may target software distribution nodes in order to launch an assault against a wide audience, potentially either PC or mobile users.
INSIGHT Software supply chain attacks – everything you need to know
Gigaset device owners impacted by the incident who attempted to remove the malware reported that reinfection occurred a matter of hours later.
This appears to be due to the malware being loaded as the system’s ‘Update’ component – a pre-installed package that continuously updates the handset’s software.
‘Malware issues’
In a statement to Born (translated), the vendor confirmed that “older smartphones had malware issues” and the company was “working intensively on a short-term solution for the affected users”.
Gigaset added that, from now, malware should not be delivered to handsets.
An analysis conducted by security firm Malwarebytes lists the Gigaset GS270, Gigaset GS160, Siemens GS270, and Siemens GS160 (Android OS 8.1.0), alongside the Alps P40pro (Android OS 9.0) and Alps S20pro+ (Android OS 10.0) as ladened with the malware.
Read more of the latest smartphone security news
According to Gigaset, it is “assumed” that the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3 and GS4 – are not impacted.
Malwarebytes says the culprit system app, com.redstone.ota.ui, is loading three variants of Trojan.Downloader.Agent.WAGD.
The Android-specific trojan is not only capable of disrupting daily user activities but also of downloading and executing additional payloads and sending malicious SMS/WhatsApp messages, a vector for distributing the malware.
Paranoid Android
As the app is considered part of the Android system and cannot be removed without extreme difficulty, Born has recommend that you “lay the device dead” until Gigaset fully resolves the issue.
If this is not possible, Malwarebytes has offered a workaround to uninstall ‘Update’ and keep using an impacted device, albeit with an element of risk attached.
There is another catch: this workaround will stop the handset from being legitimately updated in the future, and so users will need to monitor Gigaset’s progress in restoring the server and cleaning up the update function before re-enabling the update technolgy.
The Daily Swig has reached out to Gigaset with additional queries and we will update when we hear back.
RECOMMENDED PHP maintainers release post-mortem report after backdoor planted in Git repo