[German]A quick update for all those affected by the malware infection of Gigaset Android devices via update server. I had on April 5, 2021 a phone conversation with German vendor Gigaset where they informed me about a few preliminary details of this case.
The malware attack on Gigaset Android devices
Since around Thursday (April 1, 2021), there has been a massive attack on Android devices of Chinese owned German vendor Gigaset. Numerous users have been reporting malware infections of the device since last week. First reports I saw were from April 1, 2021, more reports came in on April 2, 3, 4, 2021. Unwanted adware apps are automatically installed and on the devices and hijacked browsers on smartphones. The consequences are serious for the device owners:
- Browser windows suddenly open with advertisements or redirect to gambling sites
- WhatsApp accounts are blocked (due to critical activities)
- Facebook accounts may be taken over completely
- SMS messages may be sent automatically
- The device goes into "do not disturb" mode
- The battery is drained quickly
- The smartphone becomes slow
Initial indications from affected users suggest that data may also have been deducted from the smartphones. I had reported extensively on this issue in the blog post German Gigaset Android Update Server probably delivers malware (more posts are only available within my German blog). A supplementary state of affairs can be found in the blog post News about the Gigaset Android smartphone malware attack (April 2021). In the German blog post Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten, I had recommended decommissioning the devices (remove battery and SIM card, change the Wi-Fi password of your routers) until by the manufacturer has released how to proceed.The reason: My German blog readers had tried to remove the malware using several tools and Android Debug Bridge (ADB). The experience was, that in most cases the infection was repeated after a few hours. And a shutdown of the device wasn't possible anymore – so it's a high risk, that personal data will be deducted from the smartphones.
Preliminary information from Gigaset
On April 6, 2021, I had a call from the quality assurance of the manufacturer Gigaset at around 16:36, in which I was given initial information. Currently, the following state of affairs, after investigations by the manufacturer is largely assured.
- Only a part of the devices is affected by malware – (devices that are supplied via a certain update server).
- An update server used by Gigaset devices for updating was compromised, so that the affected devices were infected by malware.
- According to current knowledge, this compromise of the update server has probably been resolved, so that malware is no longer reinstalled.
Device owners whose smartphones have not been affected so far can probably – according to the first cautious assessment – use them again. There are also indications that the manufacturer will soon be able to clean affected devices via an update. Here I still wait until Gigaset provides the final result of an investigation in a written statement – they promised me for later today.
There's also a statement from Gigaset, which I'm posting below without further comment – note the indication of which smartphones are not affected. When I have more (robust) information, I'll post that. Here is their preliminary that was released to the public (I've translated).
During routine control analyses, we noticed that some older smartphones had malware issues. This finding was also confirmed by inquiries from individual customers.
We take the issue very seriously and are working intensively on a short-term solution for the affected users.
In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.
We expect to be able to provide further information and a solution within 48 hours.
It is also important to mention at this point that, according to current knowledge, the incident only affects older devices.
We currently assume that the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3 and GS4 devices are not affected.
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2
Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)
Cookies helps to fund this blog: Cookie settings