April 8, 2021 at 6:17 pm #12739UK SentinelModerator
- Posts 3412
Software so nasty is also ‘persists after a factory reset’
Android smartphones from Gigaset have been infected by malware direct from the manufacturer in what appears to be a supply-chain attack.
The Trojan, once downloaded and installed on a victim’s device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware, say researchers and users.
The malicious updates were seeded on April 1, judging by reports out of Germany.
Heise also reported the wave of infections, whose perpetrators had not been identified at the time of writing. Heise observed this morning: “Permanent removal usually fails,” meaning it’s difficult to remove the persistent software nasty, adding that Gigaset’s “quality assurance department” had confirmed “that the company’s update server has delivered the malware.”
Gigaset told the news website the incident only affects “older devices,” and that it would provide more details soon. Users who head over to firm’s forums will find that they are, or were at time of writing, “down for maintenance”.
The Munich-based outfit was formerly known as Siemens Home and Office Communications Devices, according to Malwarebytes. The antivirus biz identified two of the malware strains emanating from Gigaset as Android/Trojan.Downloader.Agent.WAGD and Android/Trojan.SMS.Agent.YHN4.
The attack vector is a system update application, identified as com.redstone.ota.ui. Malwarebytes’ Nathan Collier speculated in a post that crooks had compromised Gigaset’s update servers to distribute the Trojans, a scenario Heise’s reporting – and this Google support thread – tends to confirm this
In a completely sane world, madness is the only freedom (J.G.Ballard).April 8, 2021 at 6:19 pm #12740UK SentinelModerator
- Posts 3412
Also, Gigaset: Malware infestation of the manufacturer’s Android devices reveals mysteries
Owners of Android smartphones from Gigaset have been battling malware for several days. Meanwhile, a compromised update server has been confirmed as the source.
Since last Friday, both the author of this post and hot online have received information from Gigaset smartphone owners who suddenly found themselves confronted with malicious code on their Android devices.
The “symptoms” described range from redirecting to gambling sites and showing ads, issues with WhatsApp, to accessing private data and unasking unwanted apps. The permanent removal usually failed. Some points to a compromised Gigaset (update) server as a possible source of malicious code; however, an official statement from the company has yet to be made.
In a completely sane world, madness is the only freedom (J.G.Ballard).
- You must be logged in to reply to this topic.