Cyber criminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider.
Earlier this week, a researcher discovered that several smartphone models being sold in Germany were embedded with malware straight out of the box through a pre-installed system update app. The models affected, according to Malwarebytes, include the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20pro+, running Android 10.
Symptoms of infection include browser windows suddenly opening with ads, WhatsApp accounts being blocked, Facebook accounts being taken over completely, and malicious text messages being sent automatically. These occur alongside the device toggling into Do Not Disturb mode by itself, considerably slow performance, and battery life draining much fast than expected.
Gigaset has confirmed with the Hacker News that the infections have come about as a result of hackers infiltrating a server owned by an external update service provider and that it’s taken steps to alert them of the issue.
The infections were first reported on 27 March, with Gigaset eventually closing the vulnerability on 7 April after the third-party company regained control of the compromised server.
"Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data),” the company said. “We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within eight hours.”
Hackers were able to install the malicious apps onto these Android devices by hijacking the official update channels, known on these devices as the package ‘com.redstone.ota.ui’. Because this was a pre-installed system app, victims couldn’t easily remove it using traditional methods.
Although the infections are mostly present in Germany, the attack method will concern device manufacturers worldwide. The phones were sold to customers already infected with a host of malicious apps, and no interaction was required on their part.
This is the latest supply chain attack to be reported in recent months, following a host of more devastating incidents including the infamous SolarWinds Orion Platform and Microsoft Exchange Server attacks.
