[German]A German blog reader just informed me, that German smartphone manufacturer Gigaset seems to be affected by a hack. At least one of the Android update servers is probably delivering malware. Here’s the information I have so far.
German blog reader Volko has sent me an email with the relevant information a couple of hours ago (thanks for that). Volko wrote:
Hello Mr. Born,
just in time for the long Easter weekend, the Gigaset company is apparently affected by a security super-GAU: At least one of the update servers for Android smartphones has apparently been compromised and has been delivering malware for several days, which is automatically installed on various Gigaset smartphones via the update app running in the background as a system process.
We have four Gigaset GS180s in use in our family (2x D2 network + 2x E network), of which, strangely enough, only the two smartphones with E network sim cards were affected.
The malware made itself equally noticeable on both smartphones by suddenly opening browser windows with advertisements for some (gambling?) game sites.
Of course, installation from unknown sources is deactivated on the smartphones, and for security reasons both third-party services third-party services, special numbers and international calls are blocked by the phone provider. The potential for damage in this case is therefore limited, especially since fortunately only my children’s cell phones were affected, and unlike my smartphone and my wife’s smartphone, none of the – now unavoidable – banking apps are installed on them.
Three malware apps were installed on each of the two affected smartphones, which could fortunately be terminated and uninstalled without any problems, but which were then repeatedly reloaded by the update app running in the background as a system process, unless the update app was terminated manually after each restart: easenf or gem, and in both cases smart and xiaoan.
I reported the problem yesterday by phone to Gigaset customer service and they promised to take care of it and give me feedback.
I have a Gigaset GS 180 – but without a SIM card – floating around here as a test copy. I could not find any of these apps there during a test. Volko then sent me this link to the Google support forum where the problem has been discussed since the beginning of the week:
Easenf app is always back on my phone. I keep deleting it, it’s malware right?
The easenf APP is back on my phone even though I keep deleting it. I have read that it has to do with malware.
In the thread in question, several users have posted that they all own Gigaset devices and have found this app. Another user wrote:
I can confirm the behavior on a Gigaset GS180. Additionally, the following apps were installed today:
Have uninstalled these apps.
Additionally, in several browsers (Firefox Clear, Opera, Firefox, Brave…) I had an ad page for some game as the home page. Had to clear all caches/data from the browsers – so far ok.
I can agree with my predecessor, the systemapp update.apk is running. Why it runs at all is not clear to me, since I turned off automatic updates in the developer options.
Since my phone is rooted, I uninstalled the systemapp update.apk.
A user uploaded the .apk files to Virustotal (see here). At Virustotal, the installed apps are listed as Adware.AndroidOS.BrowserAd.A!c or similar. The screenshot below shows the evaluation for one of these apps.
Adware app on Virustotal, Click to zoom
Inspired by the aforementioned forum thread in which the participant “Markus Marquito” solved the problem by uninstalling the update app as
Root, Volko has found a workaround without “rooting” the smartphone within this German blog post:
Volko writes that it is sufficient to deactivate the update app on the smartphone via developer options and adb using the following command:
adb shell pm disable-user –user 0 com.redstone.ota.ui
To be on the safe side, everyone should check the correctness of the package name beforehand on the smartphone with the update system process running via the developer options, active processes and process properties of the “Update App”! Volko writes about this:
After I have permanently deactivated the update app on the two affected smartphones and, to be on the safe side, also on the other two GS180s, the problem fortunately no longer exists with us now.
We can only be lucky that the criminals in this case were obviously only interested in placing annoying advertisements, which led to the malware infestation in the first place. The damage potential of a keylogger or similar software running unnoticed in the background, for example, is unimaginable.
At this point, a big thank you to Volko for the information and the work he did. As briefly mentioned above, I can’t find any of the apps on my Gigaset GS 180 – possibly because they don’t have a SIM card – or I missed something.
A search of the web so far has not turned up anything except the thread above, already linked by Volko. The Android malware reported by Zimperium here also seems to be something else. However, owners of Gigaset smartphones have already fallen victim to such an attack in 2019 (see Vorsicht, App! Gigaset-Smartphones von Malware betroffen). A press request to Gigaset is out – but I don’t expect a quick response there. Can anyone confirm the above information, or are any of you still affected by the above malware? If so, are there any other findings or sources on the web?
Attention: I recommend all Gigaset Android device owners to shut down the device and removes the SIM card and the battery (if still possible). Make sure, that the device can’t connect to to internet. Use a computer or an non infected device to change your online account passwords. Then wait, what Gigaset will recommend.
Addendum: I had a phone call from Gigaset quality assurance department today. They confirmed, one update server has been compromised. Only models using this update server has been affected. The malware delivery has been stopped. There will be a chance, that compromised devices will be automatically cleaned during the next days. I will prepare a separate blog post about my knowledge, after I got written confirmation from Gigaset folks.
Last Note: Currently the English blog her suffers a bit, due to the fact, that I’m a native German blogger – funding me with the visits of my German blog – so the bleeding edge is always on my German blog (deepl.com will be your fried). I’ve written and cross linked several more articles within my German blog (see the link at the top of this article). In short: Note my recommendation, to switch off your affected Gigaset device. Don’t use the advices given at the comments below – I know, they are given with best efforts – but during the last days I’ve learned from many skilled German blog readers, that it’s not simple, to clean a compromised device 100%. If I got confirmation from Gigaset, I will publish a recommendation, how to proceed. Thanks for your patience and understanding.
An updated status can be read within my article Update on malware attack on Gigaset Android devices (April 6 2021).
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2
Cookies helps to fund this blog: Cookie settings