Threat actors infiltrated at least one update server of smartphone manufacturer Gigaset to distribute malware in a recent supply chain assault that made headlines.
Gigaset, a German software manufacturer, was the target of a supply chain attack in which threat actors gained access to at least one of the company’s servers and used it to spread malware.
Gigaset AG is a German multinational company that was formerly known as Siemens Home and Office Communication Devices. The company’s primary focus is on communications technology. DECT telephones are made by Gigaset. It had 888 staff, 280 million Euro in income, and sales activities in around 70 countries in 2018.
Around April 1, 2021, the malware was shipped to the German vendor’s Android devices as part of a supply chain assault. Multiple users have reported malware infections, according to the blog BornCity, with their computers infected with adware programmed to show unwanted and intrusive advertisements. The infections were mentioned by a large number of Android users on Google’s help forums.
Heise.de, a German website, released a list of unwanted applications (or package names) and services that had been installed on users’ smartphones. The following list is not exhaustive, and other apps on the impacted devices can exist:
- easenf
- com.wagd.smarter
- com.wagd.xiaoan
- according to
- smart
- AppSettings
- Tayase
- com.yhn4621.ujm0317
- BBQ browser
Below the list of potential consequences of the infections reported by BornCity:
- Browser windows suddenly open with advertisements or redirect to gambling sites
- WhatsApp accounts are blocked (due to critical activities)
- Facebook accounts may be taken over completely
- SMS messages may be sent automatically
- The device goes into “do not disturb” mode
- The battery is drained quickly
- The smartphone becomes slow
“Initial indications from affected users suggest that data may also have been deducted from the smartphones. I had reported extensively on this issue in the blog post German Gigaset Android Update Server probably delivers malware (more posts are only available within my German blog).” states BornCity website.
Auf dem Smartphone meiner Mutter ist eine Malware-App, die sich irgendwie versteckt und nicht deinstallieren lässt (wir haben schon unzählige Apps deinstalliert): ständig öffnet sich der Chrome-Browser von selbst und öffnet solche Werbungs-Websites: 1/x pic.twitter.com/ABKtR4vnrx
— Das Menschy, 🚲🚅⛵ (@das_Menschy) April 3, 2021
Sending WhatsApp and SMS messages is one of the most concerning symptoms recorded by Gigaset users; in some cases, WhatApp suspended the accounts for suspicious activity.
The supply chain attack was verified by Gigaset, who announced that only users who received firmware updates from one of the compromised servers were affected. “A short-term solution for the affected users” is already being worked on by the provider.
“We discovered several older smartphones with malware issues during routine control analyses. Inquiries from individual customers backed up this conclusion. We take the problem very seriously and are working hard to find a quick fix for the affected users.
We’re doing this in collaboration with IT forensic experts and the appropriate authorities. We will notify affected users as soon as possible and provide instructions for resolving the problem.
Within 48 hours, we hope to be able to provide more information and a solution.
It’s also worth mentioning at this stage that, as far as we know, the incident only affects older devices.
According to a Gigaset spokesperson, the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3 and GS4 devices are not affected.
