Owners of Gigaset Android phones have been repeatedly infected with malware since the end of March after threat actors compromised the vendor’s update server in a supply-chain attack.
Gigaset is a German manufacturer of telecommunications devices, including a series of smartphones running the Android operating system.
Starting around March 27th, users suddenly found their Gigaset mobile devices repeatedly opening web browsers and displaying advertisements for mobile game sites.
When inspecting their phone’s running apps, users found an unknown application called ‘easenf ‘ running, that when deleted, would automatically be reinstalled.
According to the German tech site BornCity, the easenf app was installed by the device’s system update app. Other malicious apps found alongside it include ‘gem’, ‘smart’, and ‘xiaoan.’
“Three malware apps were installed on each of the two affected smartphones, which could fortunately be terminated and uninstalled without any problems, but which were then repeatedly reloaded by the update app running in the background as a system process, unless the update app was terminated manually after each restart: easenf or gem, and in both cases smart and xiaoan,” a reader told BornCity.
Since the attack began, Malwarebytes has been supporting Gigaset owners on their forums and is detecting the threat as ‘Android/PUP.Riskware.Autoins.Redstone.’
Based on their research, Malwarebytes states that the ‘Android/PUP.Riskware.Autoins.Redstone’ app will download further malware on devices that are detected as ‘Android/Trojan.Downloader.Agent.WAGD.’
These secondary payloads all start with the name ‘com.wagd,’ and have been seen using the com.wagd.xiaoan, com.wagd.gem, com.wagd.smarter, and com.yhn4621.ujm0317 package names.
Malwarebytes states that these app will display advertisements, install other malicious apps, and attempt to spread via WhatsApp messages.
Malwarebytes found this supply-chain attack is affecting the following Gigaset Android devices:
- Gigaset GS270; Android OS 8.1.0
- Gigaset GS160; Android OS 8.1.0
- Siemens GS270; Android OS 8.1.0
- Siemens GS160; Android OS 8.1.0
- Alps P40pro; Android OS 9.0
- Alps S20pro+; Android OS 10.0
To prevent the malicious packages from being reinstalled by Gigaset’s compromised update server, a user told Born that they had to forcibly disable the device’s update app using the developer options and adb with the following command:
adb shell pm disable-user –user 0 com.redstone.ota.ui
Gigaset confirms cyberattack
In a call with Gigaset, Günter Born of BornCity was told that one of the company’s update servers was compromised and used to push down malicious apps.
“An update server used by Gigaset devices for updating was compromised, so that the affected devices were infected by malware,” explains Born.
Gigaset’s SVP of Corporate Communication Raphael Dörr shared the following statement with BleepingComputer:
“During routine control analyses, we noticed that some older smartphones had problems with malware. This finding was also confirmed by inquiries from individual customers.
We take the issue very seriously and are working intensively on a short-term solution for the affected users.
In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.
We expect to be able to provide further information and a solution within 48 hours.
It is also important to mention at this point that, according to current knowledge, the incident only affects older devices.
We currently assume that the devices GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 are not affected.
This is all we can say for the time being – we are still investigating.” – Gigaset
Dörr is hoping to have more information to share tomorrow.