Another supply-chain attack? Android maker Gigaset injects malware into victims' phones via poisoned update

Software nasty also 'persists after a factory reset'


Android smartphones from Gigaset have been infected by malware direct from the manufacturer in what appears to be a supply-chain attack.

The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware, say researchers and users.

The malicious updates were seeded on April 1, judging by reports out of Germany.

Our pals at Heise also reported the wave of infections, whose perpetrators had not been identified at the time of writing. Heise observed this morning: "Permanent removal usually fails," meaning it's difficult to remove the persistent software nasty, adding that Gigaset's "quality assurance department" had confirmed "that the company's update server has delivered the malware."

Gigaset told the news website the incident only affects "older devices," and that it would provide more details soon. Users who head over to firm's forums will find that they are, or were at time of writing, "down for maintenance".

Two IT people working in a data center

IT now stands for Intermediate Targets: Tech providers pwned by snoops eyeing up customers – report

READ MORE

The Munich-based outfit was formerly known as Siemens Home and Office Communications Devices, according to Malwarebytes. The antivirus biz identified two of the malware strains emanating from Gigaset as Android/Trojan.Downloader.Agent.WAGD and Android/Trojan.SMS.Agent.YHN4.

The attack vector is a system update application, identified as com.redstone.ota.ui. Malwarebytes' Nathan Collier speculated in a post that crooks had compromised Gigaset's update servers to distribute the Trojans, a scenario Heise's reporting – and this Google support thread – tends to confirm.

A reasonably complicated uninstallation method that successfully wipes the malware is available at the above link (if you're unfamiliar with command-line work, it's probably not for you).

A post on Gigaset's German-language corporate blog published yesterday talked at length about how criminals, er, compromised a hospital thanks to "a weak point in the hospital's IT security." Great timing.

And in a statement to El Reg today, just as we were about to run this story, Gigaset senior veep for communications Raphael Dörr told us:

During routine control analyses, we noticed that some older smartphones had problems with malware. This finding was also confirmed by inquiries from individual customers.

We take the issue very seriously and are working intensively on a short-term solution for the affected users. In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.

We expect to be able to provide further information and a solution within 48 hours. It is also important to mention at this point that, according to current knowledge, the incident only affects older devices.

We currently assume that the devices GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 are not affected. This is all we can say for the time being – we are still investigating.

While waiting for more information, and if it's an option or necessary, the safest non-technical solution is simply to turn off a potentially infected device and remove the battery and SIM. ®


Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022