Gigaset Android phones infected by malware via hacked update server

ByPR 24

Android

Owners of Gigaset Android phones have been repeatedly infected with malware since the end of March after threat actors compromised the vendor’s update server in a supply-chain attack.

Gigaset is a German manufacturer of telecommunications devices, including a series of smartphones running the Android operating system.

Starting around March 27th, users suddenly found their Gigaset mobile devices repeatedly opening web browsers and displaying advertisements for mobile game sites.

When inspecting their phone’s running apps, users found an unknown application called ‘easenf ‘ running, that when deleted, would automatically be reinstalled.

According to the German tech site BornCity, the easenf app was installed by the device’s system update app. Other malicious apps found alongside it include ‘gem’, ‘smart’, and ‘xiaoan.’

“Three malware apps were installed on each of the two affected smartphones, which could fortunately be terminated and uninstalled without any problems, but which were then repeatedly reloaded by the update app running in the background as a system process, unless the update app was terminated manually after each restart: easenf or gem, and in both cases smart and xiaoan,” a reader told BornCity.

Gigaset users uploaded some of these malicious packages to VirusTotal [12], where they are detected as adware or downloaders.

Since the attack began, Malwarebytes has been supporting Gigaset owners on their forums and is detecting the threat as ‘Android/PUP.Riskware.Autoins.Redstone.’

Based on their research, Malwarebytes states that the ‘Android/PUP.Riskware.Autoins.Redstone’ app will download further malware on devices that are detected as ‘Android/Trojan.Downloader.Agent.WAGD.’

These secondary payloads all start with the name ‘com.wagd,’ and have been seen using the com.wagd.xiaoan, com.wagd.gem, com.wagd.smarter, and com.yhn4621.ujm0317 package names.

Malicious gem app installed on a Gigaset device
Malicious gem app installed on a Gigaset device

Malwarebytes states that these app will display advertisements, install other malicious apps, and attempt to spread via WhatsApp messages.

Malwarebytes found this supply-chain attack is affecting the following Gigaset Android devices:

  • Gigaset GS270; Android OS 8.1.0
  • Gigaset GS160; Android OS 8.1.0
  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0

To prevent the malicious packages from being reinstalled by Gigaset’s compromised update server, a user told Born that they had to forcibly disable the device’s update app using the developer options and adb with the following command:

adb shell pm disable-user –user 0 com.redstone.ota.ui

Gigaset confirms cyberattack

In a call with Gigaset, Günter Born of BornCity was told that one of the company’s update servers was compromised and used to push down malicious apps.

“An update server used by Gigaset devices for updating was compromised, so that the affected devices were infected by malware,” explains Born.

Gigaset’s SVP of Corporate Communication Raphael Dörr shared the following statement with BleepingComputer regarding the attack and how to remove the malware:

During routine control analyses we noticed that some older smartphones are having problems with malware. This finding was also confirmed by individual customers after enquiries were made. We immediately started investigating the incident intensely by working closely with IT forensic experts and the responsible authorities. In the meantime we were able to identify a solution to the problem.

Only older smartphone models of the GS100, GS160, GS170, GS180, GS270 (plus) and GS370 (plus) series are potentially affected.

Not affected by this incident are the smartphone models of the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 series.

According to our latest information only some devices from the affected product lines were infected. Only devices on which the software updates provided by Gigaset in the past were not carried out by the user are affected. Malware was installed on these devices by a compromised server belonging to an external update service provider.

Gigaset took immediate action and contacted the update service provider. The update service provider also took immediate action and confirmed to Gigaset that the infection of smartphones could be stopped on 7 April.

Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data). We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within 8 hours.

Alternatively, users can check and clean their devices manually. Please proceed as follows:

Check if your device is affected

  1. Check your software version. The current software version can be found under “Settings”à “About the phone” and at the bottom under “Build number”.
  2. If your software version is lower than or equal to the bolded version numbers below, your device could potentially be affected
    • GS160: all software versions
    • GS170: all software versions
    • GS180: all software versions
    • GS100: up to version GS100_HW1.0_XXX_V19 
    • GS270: up to version GIG_GS270_S138 
    • GS270 plus: up to version GIG_GS270_plus_S139  
    • GS370: up to version GIG_GS370_S128 
    • GS370 plus: up to version GIG_GS370_plus_S128

Uninstall the malware manually

  1. Switch on the smartphone 
  2. Check whether your device is infected by verifying under “Settings” à”App” whether one or more of the following apps are displayed:
    • Gem
    • Smart 
    • Xiaoan 
    • asenf 
    • Tayase
    • com.yhn4621.ujm0317
    • com.wagd.smarter 
    • com.wagd.xiaoan
  3. If you find one or more of the above apps, please delete them manually.
    1. Open the settings (cogwheel icon).
    2. Click on Apps & Notifications.
    3. Click on App Info.
    4. Click on the desired app.
    5. Click on the Uninstall button.
  4. Now check again whether all of the above apps have been uninstalled. If the apps are still present, please contact Gigaset Service on +49 (0)2871 912 912 (At your provider’s landline rate).
  5. If all of the apps mentioned above have been uninstalled, we recommend that you carry out all software updates available for your device.

We apologise for any inconvenience caused and will keep you informed of further developments.

Update 4/8/21: Added new statement.

Similar Posts

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

ByPR 24

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems | IT Security News Android App Android App with push notifications Sponsors Endpoint Cybersecurity www.endpoint-cybersecurity.com – Consulting in building your security products– Employee awareness training– Security tests for applications and pentesting… and more. Daily Summary Categories CategoriesSelect Category(ISC)2 Blog  (323)(ISC)2 Blog infosec  (13)(ISC)² Blog  (364)2020-12-08 –…

Global cyber attacks up as ransomware surges by 93% | #malware | #ransomware | #cybersecurity | #infosecurity | #hacker | National Cyber Security

Global cyber attacks up as ransomware surges by 93% | #malware | #ransomware | #cybersecurity | #infosecurity | #hacker | National Cyber Security

ByPR 24

Global cyber attacks have increased by 29% in the last six months, as hackers continue to exploit the COVID-19 pandemic and the shift to remote working, according to new research. The 2021 Mid-year Security Report from Check Point provides a detailed overview of the cyber threat landscape and shows the latest cyberattack trends observed throughout…

Threat Actors Distribute Backdoor After Compromising the Mongolian CA MonPass

Threat Actors Distribute Backdoor After Compromising the Mongolian CA MonPass

ByPR 24

According to cybersecurity specialists, unknown cybercriminals hacked the servers of Mongolian Certificate Authority (CA) MonPass and abused the company’s website in order to distribute malware. The organization analysis that started in April 2021 shows that a public web server hosted by MonPass was breached potentially eight separate times. Avast researchers discovered eight different webshells and…

CVE-2021-32713 – Alert Detail – Security Database

CVE-2021-32713 – Alert Detail – Security Database

ByPR 24

Executive Summary Informations Name CVE-2021-32713 First vendor Publication 2021-06-24 Vendor Cve Last vendor Modification 2021-06-25 Security-Database Scoring CVSS v3 Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA   Calculate full CVSS 3.0 Vectors scores Security-Database Scoring CVSS v2 Cvss…

Lawyer saw no sign that software mogul McAfee would kill himself

Lawyer saw no sign that software mogul McAfee would kill himself

ByPR 24

John McAfee testifying via video during an extradition hearing at the National Court in Madrid on June 15. (AP pic) BARCELONA: Anti-virus software pioneer John McAfee’s lawyer said on Thursday he had seen no sign before the entrepreneur’s death in a Spanish prison that he would take his own life. Spanish coroners were conducting an…

Pearson Slammed for Breach – Wasn’t Just ‘Data Exposure’

Pearson Slammed for Breach – Wasn’t Just ‘Data Exposure’

ByPR 24

Breach Notification , Governance & Risk Management , Incident & Breach Response Firm Pays $1 Million Settlement After Regulator Says It Misled Investors and Victims Mathew J. Schwartz (euroinfosec) • August 17, 2021     When is a data exposure not just a data exposure? See Also: Forrester Consulting: Strained Relationship Between Security and IT…