German Gigaset Android Update Server probably delivers malware

[German]A German blog reader just informed me, that German smartphone manufacturer Gigaset seems to be affected by a hack. At least one of the Android update servers is probably delivering malware. Here's the information I have so far.


Advertising

German blog reader Volko has sent me an email with the relevant information a couple of hours ago (thanks for that). Volko wrote:

Hello Mr. Born,

just in time for the long Easter weekend, the Gigaset company is apparently affected by a security super-GAU: At least one of the update servers for Android smartphones has apparently been compromised and has been delivering malware for several days, which is automatically installed on various Gigaset smartphones via the update app running in the background as a system process.

We have four Gigaset GS180s in use in our family (2x D2 network + 2x E network), of which, strangely enough, only the two smartphones with E network sim cards were affected.

The malware made itself equally noticeable on both smartphones by suddenly opening browser windows with advertisements for some (gambling?) game sites.

Of course, installation from unknown sources is deactivated on the smartphones, and for security reasons both third-party services third-party services, special numbers and international calls are blocked by the phone provider. The potential for damage in this case is therefore limited, especially since fortunately only my children's cell phones were affected, and unlike my smartphone and my wife's smartphone, none of the – now unavoidable – banking apps are installed on them.

Three malware apps were installed on each of the two affected smartphones, which could fortunately be terminated and uninstalled without any problems, but which were then repeatedly reloaded by the update app running in the background as a system process, unless the update app was terminated manually after each restart: easenf or gem, and in both cases smart and xiaoan.

I reported the problem yesterday by phone to Gigaset customer service and they promised to take care of it and give me feedback.

I have a Gigaset GS 180 – but without a SIM card – floating around here as a test copy. I could not find any of these apps there during a test. Volko then sent me this link to the Google support forum where the problem has been discussed since the beginning of the week:

Easenf app is always back on my phone. I keep deleting it, it's malware right?

The easenf APP is back on my phone even though I keep deleting it. I have read that it has to do with malware.

In the thread in question, several users have posted that they all own Gigaset devices and have found this app. Another user wrote:

I can confirm the behavior on a Gigaset GS180. Additionally, the following apps were installed today:

– com.wagd.smarter

– com.wagd.xiaoan

Have uninstalled these apps.

Additionally, in several browsers (Firefox Clear, Opera, Firefox, Brave…) I had an ad page for some game as the home page. Had to clear all caches/data from the browsers – so far ok.

I can agree with my predecessor, the systemapp update.apk is running. Why it runs at all is not clear to me, since I turned off automatic updates in the developer options.

Since my phone is rooted, I uninstalled the systemapp update.apk.

A user uploaded the .apk files to Virustotal (see here). At Virustotal, the installed apps are listed as Adware.AndroidOS.BrowserAd.A!c or similar. The screenshot below shows the evaluation for one of these apps.

Adware app on Virustotal
Adware app on Virustotal, Click to zoom


Advertising

Inspired by the aforementioned forum thread in which the participant "Markus Marquito" solved the problem by uninstalling the update app as
Root, Volko has found a workaround without "rooting" the smartphone within this German blog post:

Vorinstallierte Android Apps ohne root entfernen

Volko writes that it is sufficient to deactivate the update app on the smartphone via developer options and adb using the following command:

adb shell pm disable-user –user 0 com.redstone.ota.ui

To be on the safe side, everyone should check the correctness of the package name beforehand on the smartphone with the update system process running via the developer options, active processes and process properties of the "Update App"! Volko writes about this:

After I have permanently deactivated the update app on the two affected smartphones and, to be on the safe side, also on the other two GS180s, the problem fortunately no longer exists with us now.

We can only be lucky that the criminals in this case were obviously only interested in placing annoying advertisements, which led to the malware infestation in the first place. The damage potential of a keylogger or similar software running unnoticed in the background, for example, is unimaginable.

At this point, a big thank you to Volko for the information and the work he did. As briefly mentioned above, I can't find any of the apps on my Gigaset GS 180 – possibly because they don't have a SIM card – or I missed something.

A search of the web so far has not turned up anything except the thread above, already linked by Volko. The Android malware reported by Zimperium here also seems to be something else. However, owners of Gigaset smartphones have already fallen victim to such an attack in 2019 (see Vorsicht, App! Gigaset-Smartphones von Malware betroffen).  A press request to Gigaset is out – but I don't expect a quick response there. Can anyone confirm the above information, or are any of you still affected by the above malware? If so, are there any other findings or sources on the web?

Attention: I recommend all Gigaset Android device owners to shut down the device and removes the SIM card and the battery (if still possible). Make sure, that the device can't connect to to internet. Use a computer or an non infected device to change your online account passwords. Then wait, what Gigaset will recommend.

Addendum: I had a phone call from Gigaset quality assurance department today. They confirmed, one update server has been compromised. Only models using this update server has been affected. The malware delivery has been stopped. There will be a chance, that compromised devices will be automatically cleaned during the next days. I will prepare a separate blog post about my knowledge, after I got written confirmation from Gigaset folks.

Last Note: Currently the English blog her suffers a bit, due to the fact, that I'm a native German blogger  – funding me with the visits of my German blog – so the bleeding edge is always on my German blog (deepl.com will be your fried). I've written and cross linked several more articles within my German blog (see the link at the top of this article). In short: Note my recommendation, to switch off your affected Gigaset device. Don't use the advices given at the comments below – I know, they are given with best efforts – but during the last days I've learned from many skilled German blog readers, that it's not simple, to clean a compromised device 100%. If I got confirmation from Gigaset, I will publish a recommendation, how to proceed. Thanks for your patience and understanding.

An updated status can be read within my article Update on malware attack on Gigaset Android devices (April 6 2021).

Similar articles:
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware

Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2

Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Android, devices, Security, Update and tagged , , . Bookmark the permalink.

29 Responses to German Gigaset Android Update Server probably delivers malware

  1. Andrey says:

    My Fly Nimbus 16 cellphone has been infected with "smarter" and "xiaoan" for a while.
    I have removed Chrome via adb and "smarter" reinfection stopped.
    Unfortunately "xiaoan" reinfection continues.
    I'll try to remove com.redstone.ota.ui, let's see….

    • Andrey says:

      In fact, this app was in my cellphone at least for several years.
      It caused no troubles until last month, when browser started to open unwanted pages by itself.
      After investigation, I've got it.
      But the initial infection had happened several years ago.
      It seems like the virus is embed into some core google services and updates.

  2. Kaleb says:

    I just found the "xiaoan" malware on my VKWorld T2 Plus Android phone today and factory resetting the phone does NOT get rid of it…(Android 7)

  3. Joe says:

    I have had this exact problem for the last few days on my Vivax smartphone. It keeps reinstalling these three apps (gem, smart, xiaoan)…still don't know what to do.

  4. Advertising

  5. Pierre says:

    My Gigaset GS170 has been infected a few days ago. First I have been blocked from whatsapp then ads started poping up on Chrome which got me to panic a bit so I went for a hard reset hoping to solve the matter. After the hard reset … well, ads kept coming back on Chrome (the homepage also changed from time to time), then Firefox after I disactivated Chrome, then Opera after I disactivated Firefox. Despite deleting xiaoan and smart apps eveytime, they kept coming back too.

    Thanks to this blog post and a topic on the malwarebytes forum I was able to go as far as uninstalling the update app, as everyone seems to think that the problem comes from there. Scanned with Kaspersky/Avast/Malwarebytes immediatly after to make sure everything was fine. Now I'll activate my Chrome app again and see if it works better. I hope for some good news tomorrow morning if nothing strange pops up on the phone during the night, but what a pain in the *** !

    • Janique Dewelle says:

      Dear Pierre,
      could you help me to find the way to uninstall the update app, please.
      Thank you
      KR

  6. Kathi says:

    Yes, can confirm all the above. End of March, suddenly game websites opened on my Gigaset 160 without doing anything. April 1st got banned from whatsapp, figured there was malware, checked for unknown apps I had never downloaded. Deinstalled one (Xioan ), but other ones with different names but same icon kept popping up. Made screen shots of app list to see what had changed within a few hours. Kept uninstalling the ones that had newly popped up, but eventually gave up. Next day, other legit programs stopped working until phone literally shut down itself. After factory reset and the use of google play to re-download WhatsApp to get reinstated, it started again. It was the only download after the factory reset! Meanwhile read in another block that they suggested google play to be the trigger for activating the dormant malware.

  7. NicoW says:

    My Gigaset phone GS160 has Android 6.0 last update was 5 may 2018.
    I removed the xiaoan app, but the next day it was back again.

  8. Matthias says:

    I have the same issue on my Gigaset GS170 since yesterday. I noticed the problem when advertisement popped up in Chrome. I then deleted xiaonan, smart, etc. but they just keep reinstalling after a while…

  9. Philippe says:

    Many thanks for this post. That's also what is happening to my GS170 since a few days.
    After the problem started to occur, I installed Avast and Malwarebytes. Avast detects and deletes infected gem, xiaoan and smart, but it keeps coming back after several hours.
    Malwarebytes detects an infection on installation service, which cannot be disabled. After a factory reset, installation service is still infected.
    I'll try the procedure explained in this post.

    Just wondering : after update app is disabled, there will no be more updates of the system ? Isn't it a problem on the long term ?

  10. Uti says:

    Ich habe seit gestern das gleiche Problem:
    Ich kann zwar die smart und xiaoan app löschen jedoch erscheint dann immer noch im Virusprogramm das ich
    com.wagd.smarter
    – com.wagd.xiaoan
    löschen soll. Diese App werden nicht vom Virusprogramm gefunden. Was kann man noch tun?

  11. Walter says:

    I tried to check the package-name as suggested :

    "To be on the safe side, everyone should check the correctness of the package name beforehand on the smartphone with the update system process running via the developer options, active processes and process properties of the "Update App"!

    Unfortunately I can't find a way to see the package-name. It's not provided in Apps, nor is the App visible in Running Services (although it's not disabled)

    Is there no way to verify the name with ADB ?

    Further : this is A GREAT and USEFUL post !!!

    • Fabrice says:

      Hi,
      Tap the About Phone option generally near the bottom of the list.
      Then tap the Build Number option 7 times to enable Developer Mode. You will see a toast message when it is done.
      Now go back to the main Settings screen and you should see a new Developer Options menu you can access.
      In these developer Options, go to Active services. Find tap on the Update service and at the bottom of the page you'll find the process'name, normally com.redstone.ota.ui.
      Best,
      Fabrice

      https://www.xda-developers.com/install-adb-windows-macos-linux/Developpers option

  12. Janique Dewelle says:

    Dear all,
    Could you help me to find the way to uninstall update app on Gigaset GS270 please.
    Thank you
    Regards
    Janique

    • papen says:

      You can try to list the apps under Settings / Apps -> tap on the 3 dots -> Show system.
      Then you can see an app called 'Upgrade'
      I assume that app should be disabled, but the disable button is inactive.

      Is there any news about the fix?
      Very annoying that these malware apps are reinstalled every day.

  13. Ira says:

    Many thanks for the above post. I had the same problem starting last week, with gambling ads appearing, my homepage in Google overwritten by it. Apps like gem, xiaoan, smart, upgrade appearing. In Google Play installed apps it suddenly mentioned (Chinese) apps like Happy Jump etc. Since I try to keep my phone as clean as possible and have few apps installed I had no idea what happened. Deleted the apps, installed MBAM and Kapersky, but this virus kept overwriting permissions and causing crashes when I tried to get rid of it. The Upgrade app could not be removed and seemed responsible for restarting all apps on reboot. I also had Screen Lock Service in my Device Moderators that I could not get rid of..no app with that name to remove. I had the feeling that the installations had somethin to do with Google Play, because that app kept crashing.
    In filemanager there were files appearing like ML.Android, AP.Android, in the folder Android/data there was an extra folder starting with A and followed by a lot of nrs/letters, there was a folder called Idlepub and all came back after deleting them.

    After reading your post and Volko's tips I decide to try this solution, did see the Rsota/redstone package in my adb and uninstalled it. This seems to have solved most of the problems.
    After reboot Screen Lock Service and Find my Device are turned on again, and auto-start in Settings acts a bit abnormal, but so far I had 2 days without weird apps appearing.
    Upgrade is still in my list of system apps, mentioning: not installed for this user.
    Fingers crossed this is it. I did write in to Gigaset to ask for a solution, since my newly bought phone is also a Gigaset that I do not dare to use now.
    Thanks again for posting
    Ira

  14. Fabrice says:

    Hi,

    Same issue on my GS160/Android 6 phone.

    I tried to deactivate the update app on the smartphone via developer options and adb using the adb shell pm disable-user –user 0 com.redstone.ota.ui command, but I get the following error:

    Error: java.lang.SecurityException: Permission Denial: attempt to change component state from pid=18645, uid=2000, package uid=1000

    Any clue why and how to solve this?

    Thanks in advance.

    Fabrice

  15. Ira says:

    Deleted the redstone package through adb and that seems to have solved most of the problems. There were quite a few:
    * in filemanager files like ML.Android, OP.Android etc kept appearing, a file named Idlepubs was added, and in the Android file there was a file with a lot of letters/nrs. Deleting those just meant they came back in no time.
    * gem, xioaocan, smart, tayase showed up on virusscans, but returned after deleting and the app Upgrade could not be removed.
    * Google Play acting weird, resulting in phone crashing and only able to reboot in factory mode. Malicious apps would install again right after rebooting.
    * Homepage Chrome overwritten with an ad-page
    *Apps added like Happy Jump and other Chinese ones
    *Authorizations given to apps I had blocked them for
    * Apps like Find my Device and Screen Lock Service appearing in Device Manager, but not in list of apps and turning off was overwritten with every restart or visit to Google Play. Those 2 are still there and have to be turned off manually after a restart, even after deleting the RSota package.

  16. Bruin says:

    For me the same thing. I have a Gigaset GS160. Started with ban by Whatsapp. Removed the 3 apps mentioned above. Even after reset to factory settings the undesired websites occurred in the (Chromium) browser and the apps appeared, even 2 more (the names forgotten ). Emptied caches of Chromium and Vivaldi, now it looks like clean. For safety disabled from internet and SIM-card transferred to another smartphone.

  17. papen says:

    "At least one of the Android update servers is probably delivering malware."
    They haven't fixed it yet apparently, I still get those malware apps every day again.

    "I reported the problem yesterday by phone to Gigaset customer service and they promised to take care of it and give me feedback."

    Is there any news about the feedback?

  18. NicoW says:

    I also contacted Gigaset. They are aware of this serious matter and are working on it…!

  19. Kathi says:

    I advise everybody to contact Gigaset customer service! I have addressed a recall and replacement as, by now, my phone has suffered so much damage that I have no more trust in this being fixed. My fear: Once they patch the problem from their side, we might find that our phone is beyond using with functions failing or being unreliable. Then what??

    • guenni says:

      Concerning "the trust" in this vendor, I agree. I will publish a follow up article – the German editions are already online. In best case, the devices will be automatically cleaned by system updates (that's what we see now). But in worst case they didn't catch all malware and I got some reports, that devices got bricked. More will follow in the article.

  20. Ira says:

    So far my GS160 is fine, after a factory rest, because I could not reinstall redstone. ota.ui.
    The only thing out of the ordinary is Facebook Lite updating when I have automated updates turned off. My GS180 that I had synchronized with the 160 on 30/3 immediately started with the system update and does not seem affected at all.
    Anyone else with feedback on this fix?

  21. n00bstyle says:

    it worked for me
    adb shell pm uninstall –user 0 com.redstone.ota.ui

Leave a Reply to Kathi Cancel reply

Your email address will not be published. Required fields are marked *