Another supply-chain attack? Android maker Gigaset injects malware into victims' phones via poisoned update • The Register

Another supply-chain attack? Android maker Gigaset injects malware into victims' phones via poisoned update
Software nasty also 'persists after a factory reset'
Gareth Corfield Wed 7 Apr 2021 // 20:11 UTC SHARE
Android smartphones from Gigaset have been infected by malware direct from the manufacturer in what appears to be a supply-chain attack.

The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware, say researchers and users.

The malicious updates were seeded on April 1, judging by reports out of Germany.

Our pals at Heise also reported the wave of infections, whose perpetrators had not been identified at the time of writing. Heise observed this morning: "Permanent removal usually fails," meaning it's difficult to remove the persistent software nasty, adding that Gigaset's "quality assurance department" had confirmed "that the company's update server has delivered the malware."

Gigaset told the news website the incident only affects "older devices," and that it would provide more details soon. Users who head over to firm's forums will find that they are, or were at time of writing, "down for maintenance".

Two IT people working in a data center
IT now stands for Intermediate Targets: Tech providers pwned by snoops eyeing up customers – report
READ MORE
The Munich-based outfit was formerly known as Siemens Home and Office Communications Devices, according to Malwarebytes. The antivirus biz identified two of the malware strains emanating from Gigaset as Android/Trojan.Downloader.Agent.WAGD and Android/Trojan.SMS.Agent.YHN4.

The attack vector is a system update application, identified as com.redstone.ota.ui. Malwarebytes' Nathan Collier speculated in a post that crooks had compromised Gigaset's update servers to distribute the Trojans, a scenario Heise's reporting – and this Google support thread – tends to confirm.

A reasonably complicated uninstallation method that successfully wipes the malware is available at the above link (if you're unfamiliar with command-line work, it's probably not for you).

A post on Gigaset's German-language corporate blog published yesterday talked at length about how criminals, er, compromised a hospital thanks to "a weak point in the hospital's IT security." Great timing.

And in a statement to El Reg today, just as we were about to run this story, Gigaset senior veep for communications Raphael Dörr told us:

During routine control analyses, we noticed that some older smartphones had problems with malware. This finding was also confirmed by inquiries from individual customers.

We take the issue very seriously and are working intensively on a short-term solution for the affected users. In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.

We expect to be able to provide further information and a solution within 48 hours. It is also important to mention at this point that, according to current knowledge, the incident only affects older devices.

We currently assume that the devices GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 are not affected. This is all we can say for the time being – we are still investigating.