Gigaset devices laced with malware after third-party server hack

Several Android smartphones have been pre-packaged with malicious apps as part of a supply chain attack

Cyber criminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider.

Earlier this week, a researcher discovered that several smartphone models being sold in Germany were embedded with malware straight out of the box through a pre-installed system update app. The models affected, according to Malwarebytes, include the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20pro+, running Android 10.

Symptoms of infection include browser windows suddenly opening with ads, WhatsApp accounts being blocked, Facebook accounts being taken over completely, and malicious text messages being sent automatically. These occur alongside the device toggling into Do Not Disturb mode by itself, considerably slow performance, and battery life draining much fast than expected.

Gigaset has confirmed with the Hacker News that the infections have come about as a result of hackers infiltrating a server owned by an external update service provider and that it’s taken steps to alert them of the issue.

The infections were first reported on 27 March, with Gigaset eventually closing the vulnerability on 7 April after the third-party company regained control of the compromised server.

"Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data),” the company said. “We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within eight hours.”

Hackers were able to install the malicious apps onto these Android devices by hijacking the official update channels, known on these devices as the package ‘com.redstone.ota.ui’. Because this was a pre-installed system app, victims couldn’t easily remove it using traditional methods.

Although the infections are mostly present in Germany, the attack method will concern device manufacturers worldwide. The phones were sold to customers already infected with a host of malicious apps, and no interaction was required on their part.

This is the latest supply chain attack to be reported in recent months, following a host of more devastating incidents including the infamous SolarWinds Orion Platform and Microsoft Exchange Server attacks.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021