Gigaset devices laced with malware after third-party server hack

Several Android smartphones have been pre-packaged with malicious apps as part of a supply chain attack

Cyber criminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider.

Earlier this week, a researcher discovered that several smartphone models being sold in Germany were embedded with malware straight out of the box through a pre-installed system update app. The models affected, according to Malwarebytes, include the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20pro+, running Android 10.

Symptoms of infection include browser windows suddenly opening with ads, WhatsApp accounts being blocked, Facebook accounts being taken over completely, and malicious text messages being sent automatically. These occur alongside the device toggling into Do Not Disturb mode by itself, considerably slow performance, and battery life draining much fast than expected.

Gigaset has confirmed with the Hacker News that the infections have come about as a result of hackers infiltrating a server owned by an external update service provider and that it’s taken steps to alert them of the issue.

The infections were first reported on 27 March, with Gigaset eventually closing the vulnerability on 7 April after the third-party company regained control of the compromised server.

"Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data),” the company said. “We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within eight hours.”

Hackers were able to install the malicious apps onto these Android devices by hijacking the official update channels, known on these devices as the package ‘com.redstone.ota.ui’. Because this was a pre-installed system app, victims couldn’t easily remove it using traditional methods.

Although the infections are mostly present in Germany, the attack method will concern device manufacturers worldwide. The phones were sold to customers already infected with a host of malicious apps, and no interaction was required on their part.

This is the latest supply chain attack to be reported in recent months, following a host of more devastating incidents including the infamous SolarWinds Orion Platform and Microsoft Exchange Server attacks.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Business customers can get 30% off the Surface Laptop Go for Black Friday 2021
Laptops

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021

26 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021