Gigaset devices laced with malware after third-party server hack

Several Android smartphones have been pre-packaged with malicious apps as part of a supply chain attack

Cyber criminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider.

Earlier this week, a researcher discovered that several smartphone models being sold in Germany were embedded with malware straight out of the box through a pre-installed system update app. The models affected, according to Malwarebytes, include the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20pro+, running Android 10.

Symptoms of infection include browser windows suddenly opening with ads, WhatsApp accounts being blocked, Facebook accounts being taken over completely, and malicious text messages being sent automatically. These occur alongside the device toggling into Do Not Disturb mode by itself, considerably slow performance, and battery life draining much fast than expected.

Gigaset has confirmed with the Hacker News that the infections have come about as a result of hackers infiltrating a server owned by an external update service provider and that it’s taken steps to alert them of the issue.

The infections were first reported on 27 March, with Gigaset eventually closing the vulnerability on 7 April after the third-party company regained control of the compromised server.

"Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data),” the company said. “We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within eight hours.”

Hackers were able to install the malicious apps onto these Android devices by hijacking the official update channels, known on these devices as the package ‘com.redstone.ota.ui’. Because this was a pre-installed system app, victims couldn’t easily remove it using traditional methods.

Although the infections are mostly present in Germany, the attack method will concern device manufacturers worldwide. The phones were sold to customers already infected with a host of malicious apps, and no interaction was required on their part.

This is the latest supply chain attack to be reported in recent months, following a host of more devastating incidents including the infamous SolarWinds Orion Platform and Microsoft Exchange Server attacks.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021