Another supply-chain attack? Android maker Gigaset injects malware into victims’ phones via poisoned update

Android smartphones from Gigaset have been infected by malware direct from the manufacturer in what appears to be a supply-chain attack.

The Trojan, once downloaded and installed on a victim’s device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware, say researchers and users.

The malicious updates were seeded on April 1, judging by reports out of Germany.

Our pals at Heise also reported the wave of infections, whose perpetrators had not been identified at the time of writing. Heise observed this morning: “Permanent removal usually fails,” meaning it’s difficult to remove the persistent software nasty, adding that Gigaset’s “quality assurance department” had confirmed “that the company’s update server has delivered the malware.”

Gigaset told the news website the incident only affects “older devices,” and that it would provide more details soon. Users who head over to firm’s forums will find that they are, or were at time of writing, “down for maintenance“.

Two IT people working in a data center

IT now stands for Intermediate Targets: Tech providers pwned by snoops eyeing up customers – report

READ MORE

The Munich-based outfit was formerly known as Siemens Home and Office Communications Devices, according to Malwarebytes. The antivirus biz identified two of the malware strains emanating from Gigaset as Android/Trojan.Downloader.Agent.WAGD and Android/Trojan.SMS.Agent.YHN4.

The attack vector is a system update application, identified as com.redstone.ota.ui. Malwarebytes’ Nathan Collier speculated in a post that crooks had compromised Gigaset’s update servers to distribute the Trojans, a scenario Heise’s reporting – and this Google support thread – tends to confirm.

A reasonably complicated uninstallation method that successfully wipes the malware is available at the above link (if you’re unfamiliar with command-line work, it’s probably not for you).

A post on Gigaset’s German-language corporate blog published yesterday talked at length about how criminals, er, compromised a hospital thanks to “a weak point in the hospital’s IT security.” Great timing.

And in a statement to El Reg today, just as we were about to run this story, Gigaset senior veep for communications Raphael Dörr told us:

While waiting for more information, and if it’s an option or necessary, the safest non-technical solution is simply to turn off a potentially infected device and remove the battery and SIM. ®

READ MORE HERE