Update on malware attack on Gigaset Android devices (April 6 2021)

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,775
A quick update for all those affected by the malware infection of Gigaset Android devices via update server. I had on April 5, 2021 a phone conversation with German vendor Gigaset where they informed me about a few preliminary details of this case.

The malware attack on Gigaset Android devices

Since around Thursday (April 2, 2021), there has been a massive attack on Android devices of Chinese owned German vendor Gigaset. Numerous users have been reporting malware infections of the device since last week. First reports I saw were from April 1, 2021, more reports came in on April 2, 3, 4, 2021. Unwanted adware apps are automatically installed and on the devices and hijacked browsers on smartphones. The consequences are serious for the device owners:
  • Browser windows suddenly open with advertisements or redirect to gambling sites
  • WhatsApp accounts are blocked (due to critical activities)
  • Facebook accounts may be taken over completely
  • SMS messages may be sent automatically
  • The device goes into “do not disturb” mode
  • The battery is drained quickly
  • The smartphone becomes slow
Initial indications from affected users suggest that data may also have been deducted from the smartphones. I had reported extensively on this issue in the blog post German Gigaset Android Update Server probably delivers malware (more posts are only available within my German blog). A supplementary state of affairs can be found in the blog post News about the Gigaset Android smartphone malware attack (April 2021). In the German blog post Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten, I had recommended decommissioning the devices (remove battery and SIM card, change the Wi-Fi password of your routers) until by the manufacturer has released how to proceed.The reason: My German blog readers had tried to remove the malware using several tools and Android Debug Bridge (ADB). The experience was, that in most cases the infection was repeated after a few hours. And a shutdown of the device wasn’t possible anymore – so it’s a high risk, that personal data will be deducted from the smartphones.

Preliminary information from Gigaset

On April 6, 2021, I had a call from the quality assurance of the manufacturer Gigaset at around 16:36, in which I was given initial information. Currently, the following state of affairs, after investigations by the manufacturer is largely assured.
  • Only a part of the devices is affected by malware – (devices that are supplied via a certain update server).
  • An update server used by Gigaset devices for updating was compromised, so that the affected devices were infected by malware.
  • According to current knowledge, this compromise of the update server has probably been resolved, so that malware is no longer reinstalled.
Device owners whose smartphones have not been affected so far can probably – according to the first cautious assessment – use them again. There are also indications that the manufacturer will soon be able to clean affected devices via an update. Here I still wait until Gigaset provides the final result of an investigation in a written statement – they promised me for later today.
More info can be found in this blog post:
First blog post about this attack:
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,775
More info from Malwarebytes in this article from Bleeping Computer:
Since the attack began, Malwarebytes has been supporting Gigaset owners on their forums and is detecting the threat as 'Android/PUP.Riskware.Autoins.Redstone.'

Based on their research, Malwarebytes states that the 'Android/PUP.Riskware.Autoins.Redstone' app will download further malware on devices that are detected as 'Android/Trojan.Downloader.Agent.WAGD.'

These secondary payloads all start with the name 'com.wagd,' and have been seen using the com.wagd.xiaoan, com.wagd.gem, com.wagd.smarter, and com.yhn4621.ujm0317 package names.

Malwarebytes states that these app will display advertisements, install other malicious apps, and attempt to spread via WhatsApp messages.

Malwarebytes found this supply-chain attack is affecting the following Gigaset Android devices:
  • Gigaset GS270; Android OS 8.1.0
  • Gigaset GS160; Android OS 8.1.0
  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0
Malwarebytes blog post:
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,775
Preliminary analysis of Gigaset malware attack through auto-installer in firmware
Let me summarize in advance some findings that security analysts from Malwarebytes have documented regarding the malware attack on Gigaset Android smartphones. I’ve blogged about that within my German blog, but I’m publishing here a translated version for my English readers. The infection took place from a combination of an infected update server in conjunction with the Auto Installers com.redstone.ota.ui (also referred to as Android/PUP.Riskware.Autoins.Redstone) installed in the firmware of the Gigaset Android smartphones.
Review: Malware on Gigaset Android devices
Since around Thursday (April 1, 2021), there has been a massive isues with Gigaset Android devices that were suddenly infected by malware. Unwanted apps were automatically installed, leading their own life on the smartphones. I’ve documented my early findings within the blog post German Gigaset Android Update Server probably delivers malware (see also the articles linked at the end of this blog post).

At Malwarebytes, there was also this post in the Malwarebytes forum on the topic, which I had also linked. In parallel, I had alerted Malwarebytes about the Gigaset issue via Twitter and linked my English-language blog post for reference. Security researchers from ESET were also contacted by me – but there was no direct feedback via Twitter yet. And till now I have not yet received an in deept technical analysis from Gigaset. So I will collect the details I obtained from serveral other sources at best as a I can.
Insights from MalwareBytes
I came a couple of hours ago across a blog post from Malwarebytes security expert Nathan Collier. Collier has published a detailed analysisin the blog post Pre-installed auto installer threat found on Android mobile devices in Germany. He wrote:
The culprit that installs these malware apps is the update app with the package name com.redstone.ota.ui, which is a pre-installed system app. This app is not only the system updater of the mobile device, but also an auto-installer.
This auto-installer is the system updater of many Chinese-made Android mobile devices and is pre-installed on the device at the factory. Security researchers also refer to the com.redstone.ota.ui package as Android/PUP.Riskware.Autoins.Redstone, that is, riskware. According to Nathan Collier, this auto-installer installs three versions of Android/Trojan.Downloader.Agent.WAGD.
  • Package name: com.wagd.gem; App name: gem
  • Package name: com.wagd.smarter; App name: smart
  • Package name: com.wagd.xiaoan; App name: xiaoan
This is consistent with the descriptions in my blog posts (see German blog post Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten, where I mentioned more malicious apps that has been found may). Collier has posted some screenshots of the apps from mobile devices in the blog post.

Combining my information from Gigaset with the findings at Malwarebytes, attackers have probably managed to compromise the update server (from Adups) in such a way that it installs the Trojans via the com.redstone.ota.ui process. In the blog post, Nathan Collier lists the Android devices that he believes are affected (so it’s not just Gigasets):
  • Gigaset GS270; Android OS 8.1.0
  • Gigaset GS160; Android OS 8.1.0
  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0
However, I would not put my hand in the fire that Gigaset models not listed are not affected (the users here on the blog report more Gigaset models than affected. Collier only mentioned a few test devices on which he found the auto-updater.
Here, the basic problem becomes visible, which was also already mentioned by German blog reader Bolko in the comments to some of my blog posts. On the one hand, every Android device actually needs an updater for the firmware and the apps. On the one hand, there is a built-in predetermined breaking point for infections. It also means that if an attacker access to the update infrastructure, it can shut down all devices, bug them, or equip them with Trojans, as it pleases. I would clearly feel better if these updaters were under control of companies like Google or Samsung. On the other hand, the bitter truth is that we have an auto-updater in the firmware of many Chinese Android devices, which is classified as riskware by security researchers.
The implications for WhatsApp
Since there are many users on the German blog whose WhatsApp account or phone number has been blocked and who are bombarded with WhatsApp messages from Africa, South America or Asia after they have been unblocked again, I’ll take up the findings with regard to this service or app. Colier writes in his blog post:
  • that the Android/Trojan.Downloader.Agent.WAGD is able to send malicious messages via WhatsApp, open new tabs in the default web browser to game websites, download more malicious apps, and possibly perform other malicious behaviors. The malicious WhatsApp messages are most likely used to further spread the infection to other mobile devices.
  • that some users have also experienced Android/Trojan.SMS.Agent.YHN4 being installed on their mobile devices. The download and installation of this SMS agent is due to the fact that Android/Trojan.Downloader.Agent.WAGD visits gaming websites that contain malicious apps. As a result, the mobile device contains malware that is capable of sending malicious SMS messages. As for the malicious WhatsApp messages, it can additionally send malicious SMS messages to spread the infection further.
According to my current assessment, the devices are compromised to the maximum and my recommendations in the German blog post Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten, to shut down the devices, remove the battery and SIM cards, given a few day ago, are proving to be correct. Whether Gigaset will manage to clean up this hodgepodge of Trojans, I have my doubts. I also have the feeling that a re-infection can happen via other Android devices that are contacted via WhatsApp or malicious SMS.

If you want to be on the safe side, shut down your Gigaset Android device for good, remove the SIM card and do not use it anymore. After all, it can’t be guaranted that a malicious function didn’t returns via WhatsApp or an SMS. And at this point, I would like to repeat my advice:
If Gigaset devices are used for business purposes in Europe, the data protection relevance of the malware infection must be evaluated. The responsible data protection supervisory authority may have to be informed about a possible GDPR incident within 72 hours. I raise this point because some users report blocked WhatsApp accounts – so I assume that the malware accessed WhatsApp and then actively posted something. So WhatsApp contact data has to be quoted as stolen.
The post by Nathan Collier still contains some information that you can not easily remove the system updater. He mentioned also ADB to remove infected apps – as well as it was proposed within the comments I received within my German blog. I’ll put it this way: if you are very experienced and willing to take risks, you can try the cleanup. However, I would not dare to do that – given the bouquet of possible compromises. Instead, the procedure would be: You get a clean image of the Gigaset firmware as well as instructions on what partitions you need to wipe on the memory of the mobile device. Then you install this clean firmware image, delete the various caches, change the SIM card and change all online access data. I would not use WhatsApp again – and incoming SMS messages should be handled with care – especially from unknown senders. That is, of course, an extreme position. At the moment, most users can only wait and see what details Gigaset will provide.
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,775
Stil not going very well, possibly the new update server was also infected via supply chain attack.
Full post here:
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,775
If you have a contract that is still running, I would contact the support of the mobile provider and clarify whether a change of the phone number including SIM card is possible.
 
Top