[German]Older models of Gigaset smartphones have been attacked by malware via the manufacturer's update servers from March 26, 2021 – and increasingly from April 1, 2021. The manufacturer, Gigaset, has issued the information Lösung Malware-Angriff Smartphones with instructions on how to clean up the malware infestation of its Android devices on April 8, 2021. However, according to previous feedback, this doesn't really work for many people. Now there is a revised guidance from Gigaset dated April 12, 2021 on how to clean up the devices. Hence, a brief update with the latest findings.
Findings on the infection
What has emerged from feedback and analysis from those affected: Two update providers (#1: RedStone, #2: Adups), both residing in China, were used in the firmware of the older Gigaset Android smartphones. If I interpret Gigaset's announcements and the changes made during the update attempts correctly, should:
- the update provider RedStone (possibly after the first malware attack in 2019) no longer function to provide updates,
- the switch to Adups update server was attempted by updating the device firmware. This update does not appear to have been successfully performed on all devices.
Now, as Gigaset has admitted, third parties have managed to distribute the malware via update server via a supply chain attack. I had informed the security researchers from Malwarebytes via Twitter. They wrote in this article about the Gigaset malware attack that a package com.redstone.ota.ui preinstalled in the firmware as a system app was responsible for distributing the malware. However, this system app was not only the system updater of the mobile device, but also an auto-installer known as Android/PUP.Riskware.Autoins.Redstone. So it was a Redstone update server that was compromised. It remains unclear at this point whether updates were not digitally signed or whether the private key for signing updates fell into the hands of third parties.
In the meantime, Gigaset uses the firmware update service from the company Adups, as one can learn in the comments of this German Gigaset blog post, dealing with Gigaset smartphones GS3 and GS4. On newer Gigaset devices, the Adups update service should then be used via the com.adups.fota process – the abbreviation FOTA stands for Firmware Over The Air.
Gigaset writes that Adups is a well-known manufacturer that already offers the update service for more than 1 billion customers worldwide. In this context, the provider assumes the function of a pure provider of a service platform for installing the software updates. Gigaset's own development in Germany and Poland provides this platform exclusively with Android device software tested by Gigaset. My problem: Already in 2017, German IT magazine heise reported in the article Adups: Android-Riskware mit Déjà-vu-Effekt that this provider Adups enjoys a very dubious reputation.
A blog reader reports his observations to me via Facebook, which pretty much describe the above scenario:
The biggest hurdle for me on both devices was that no updates were available without the first manually flashed update. The devices were on a patch level August 2018, and claimed stiffly there were no updates.
My theory: they changed the update server from a version I never got, and the old one no longer exists. Our devices have always searched only on the old one and found nothing there (except viruses from a certain point).
And with the old update server it becomes bitter. In a technical analysis, Malwarebytes security experts found out that three versions of Android/Trojan.Downloader.Agent.WAGD malware were installed on the infected systems via com.redstone.ota.ui. The package name of this malware always starts with "com.wagd." and is followed by the app name (gem, smart, xiaoan). I had outlined the consequences of infection by Android/Trojan.Downloader.Agent.WAGD malware in the blog post here. In addition, some mobile device owners were infected with Android/Trojan.Downloader.Agent.WAGD malware. In this case, the installation took place on gaming websites to which the user was redirected through browser redirects by the Android/Trojan.Downloader.Agent.WAGD Trojan. Various malicious apps, from crypto-money miner to Trojan that can send malicious SMS messages to spread the infection further, were installed via the downloader. The comment here:
my GS280 does not have redstone.ota but the adups.fota and still got infected. I think the infection has just not yet become so strikingly obvious , for the users of the "newer" devices. (PS. do not use Whatsapp or Facebook). The infection is probably stockpiled until the originators add new lucrative attack points.
makes me all jittery. Because surely this means that the new Adups update server was also infected via supply chain attack (or there is a big mistake).
From that point on, the only thing left to do was actually shut down the Gigaset smartphone, since the devices were compromised in my eyes. For example, the installed app yhn4621.ujm0317 (base.apk) keeps getting installed. In addition, other malware, some of which was reloaded via the (possibly infected) Store Apps, was reported and here as well as here. The com.wagd.xiaoan.apk malware probably uses a botnet to distribute further malware (see). Which kind of malware was installed on the devices, can change from device to device.
Unsuccessful repair attempts by Gigaset
Basically, the manufacturer Gigaset is responsible for the removal of the malware – after all, they should know their system best. However, the information Lösung Malware-Angriff Smartphones issued by the manufacturer company Gigaset on April 8, 2021 with instructions on how to clean up the malware infection of its Android devices proved to be a total failure. The infection on the devices could not be removed, according to feedback from the blog readership. Gigaset has since published modified instructions for cleaning up the infected devices as of April 12, 2021 – German blog reader Gerold pointed it out here:
Reset to factory settings necessary
We recommend affected customers to completely wipe the device by resetting it to factory settings. We also recommend deleting data stored on a memory card inserted in the smartphone beforehand and formatting the card. About this:
Why does the device have to be reset?
The reason for this is that, according to current knowledge, the malicious apps that initially made their way onto some smartphones through the compromised server reload other malicious apps that also have undesirable effects on the smartphone. To prevent this, the smartphone must be reset to factory settings. This ensures that all malicious apps are removed from the memory. A recovery of the personal data and apps can then be done by the customer via the common cloud and PC backups.
The linked Gigaset instructions describe these steps in more detail. Unfortunately, this approach has two problems that do not appear in the instructions but are real.
- In this comment, a blog reader writes that factory reset did not help him. The Malwarebytes app finds the Android/Trojan.HiddenAds.ACI malware. Whether there was an error during the reset, I can not say.
- There are a number of users (including here, here and here, see user Paul) who have found devices that no longer boot after a factory reset.
If we draw a line under these above experiences, we are left with the sobering conclusion that we are just as far along after a week as we were at Easter. The repair instructions from the manufacturer Gigaset do not allow for a reliable cleanup of the infected devices (I'll put it positively, because the question remains whether any of the devices were successfully cleaned at all). So I still recommend to shut down the devices and send them to Gigaset for repair, if necessary.
In another (planned) article I still summarize some thoughts, why also with the reuse of the SIM card on another device a problem see or at least very carefully would act. This is especially true for the misuse of WhatsApp and SMS.
Similar articles:
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2
Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)