Owners of Gigaset Android phones have been repeatedly infected with malware since the end of March after threat actors compromised the vendor’s update server in a supply-chain attack.
Gigaset is a German manufacturer of telecommunications devices, including a series of smartphones running the Android operating system.
Starting
around March 27th, users suddenly found their Gigaset mobile devices repeatedly opening web browsers and displaying advertisements for mobile game sites.
When inspecting their phone’s running apps, users found an unknown application called ‘easenf ‘ running, that when deleted, would automatically be reinstalled.
According to the German tech site BornCity, the easenf app was installed by the device’s system update app. Other malicious apps found alongside it include ‘gem’, ‘smart’, and ‘xiaoan.’
“Three malware apps were installed on each of the two affected smartphones, which could fortunately be terminated and uninstalled without any problems, but which were then repeatedly reloaded by the update app running in the background as a system process, unless the update app was terminated manually after each restart: easenf or gem, and in both cases smart and xiaoan,” a reader told BornCity.
Gigaset users uploaded some of these malicious packages to VirusTotal [1, 2], where they are detected as adware or downloaders.
Since the attack began, Malwarebytes has been supporting Gigaset owners on their forums and is detecting the threat as ‘Android/PUP.Riskware.Autoins.Redstone.’
Based on their research, Malwarebytes states that the ‘Android/PUP.Riskware.Autoins.Redstone’ app will download further malware on devices that are detected as ‘Android/Trojan.Downloader.Agent.WAGD.’
These secondary payloads all start with the name ‘com.wagd,’ and have been seen using the com.wagd.xiaoan, com.wagd.gem, com.wagd.smarter, and com.yhn4621.ujm0317 package names.
Malwarebytes states that these app will display advertisements, install other malicious apps, and attempt to spread via WhatsApp messages.
Malwarebytes found this supply-chain attack is affecting the following Gigaset Android devices:
Gigaset GS270; Android OS 8.1.0
Gigaset GS160; Android OS 8.1.0
Siemens GS270; Android OS 8.1.0
Siemens GS160; Android OS 8.1.0
Alps P40pro; Android OS 9.0
Alps S20pro+; Android OS 10.0
To prevent the malicious packages from being reinstalled by Gigaset’s compromised update server, a user told Born that they had to forcibly disable the device’s update app using the developer options and adb with the following command:
In a call with Gigaset, Günter Born of BornCity was told that one of the company’s update servers was compromised and used to push down malicious apps.
“An update server used by Gigaset devices for updating was compromised, so that the affected devices were infected by malware,” explains Born.
The company also shared the following statement with BornCity:
“During routine control analyses, we noticed that some older smartphones had malware issues. This finding was also confirmed by inquiries from individual customers.
We take the issue very seriously and are working intensively on a short-term solution for the affected users.
In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.
We expect to be able to provide further information and a solution within 48 hours.
It is also important to mention at this point that, according to current knowledge, the incident only affects older devices.
We currently assume that the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3 and GS4 devices are not affected.” – Gigaset
BleepingComputer has reached out to Gigaset with additional questions but has not heard back.