The Gigaset, German manufacturer of smartphones and communication devices (formerly Siemens Home and Office Communication Devices), has been overrun by cybercriminals in yet another attack on the supply chain.
According to the German portal, Heise, an update server has been compromised by cybercriminals and Android smartphone users, manufactured by Gigaset are receiving Trojans disguised as an update, since the end of last month.
When installed, the malware can open the browser and offer ads from betting sites, search for more malicious applications and even reproduce via WhatsApp and text messages.
According to a Google support page, in German, several Gigaset customers reported problems with a browser opening and offering ads from betting sites, problems with WhatsApp, access to personal and private data, in addition to the malware installing other malicious apps and being very difficult to remove.
Malware behavior
According to a technical survey carried out by Malwarebytes, victims of smartphones of the brands Gigaset, Siemens and Alps were identified. Being that Gigaset and Siemens are from the same manufacturer. Alps is a Japanese manufacturer, unrelated to Gigaset.
“It is important to remember that this pre-installed update application is not the same as that described in Android“ System Update ”. The malware steals photos, videos, GPS location. In that case, it is simply disguised as an update application, but it is not a pre-installed system application“, write Malwarebytes researchers.
According to the researchers, the majority of victims were infected by a malicious application called Trojan.Downloader.Agent.WAGD. But there were also victims infected with Trojan.SMS.Agent.YHN4.
While both trojans focus on opening web pages offering ads from betting sites, they have slightly different behaviors. WAGD spreads only via WhatsApp while YHN4 can spread via both WhatsApp and SMS.
Official positioning
In a statement to Heise, Gigaset confirmed that some users received malware from a compromised update server. However, according to the company, the malware only infected old devices from the manufacturer, in addition to reporting that the infection has been fixed. But already infected users are still unable to use their devices safely.
On the same Google support page, some users reported that it was virtually impossible to remove the malware, that he back to the device, even after being uninstalled. That is why, the author of the Haise story recommends that affected users stop using the device until the manufacturer finds a safe solution for those infected.
“As long as the manufacturer Gigaset is unable or unwilling to disclose all the details of the infection and provide reliable solutions, the devices can simply be seen as compromised … Remove the battery (if possible), remove the SIM card and also change the WiFi password on the router to avoid any contact with the Internet. Passwords for all accounts that were used to connect to Gigaset devices must also be changed“, he writes.
Sources: Haise; Google support; Malwarebytes.