Preliminary analysis of Gigaset malware attack through auto-installer in firmware

[German]Let me summarize in advance some findings that security analysts from Malwarebytes have documented regarding the malware attack on Gigaset Android smartphones. I've blogged about that within my German blog, but I'm publishing here a translated version for my English readers. The infection took place from a combination of an infected update server in conjunction with the Auto Installers (also referred to as Android/PUP.Riskware.Autoins.Redstone) installed in the firmware of the Gigaset Android smartphones.


Review: Malware on Gigaset Android devices

Since around Thursday (April 1, 2021), there has been a massive isues with Gigaset Android devices that were suddenly infected by malware. Unwanted apps were automatically installed, leading their own life on the smartphones. I've documented my early findings within the blog post German Gigaset Android Update Server probably delivers malware (see also the articles linked at the end of this blog post).

At Malwarebytes, there was also this post in the Malwarebytes forum on the topic, which I had also linked. In parallel, I had alerted Malwarebytes about the Gigaset issue via Twitter and linked my English-language blog post for reference. Security researchers from ESET were also contacted by me – but there was no direct feedback via Twitter yet. And till now I have not yet received an in deept technical analysis from Gigaset. So I will collect the details I obtained from serveral other sources at best as a I can.

Insights from MalwareBytes

I came a couple of hours ago across a blog post from Malwarebytes security expert Nathan Collier. Collier has published a detailed analysisin the blog post Pre-installed auto installer threat found on Android mobile devices in Germany. He wrote:

The culprit that installs these malware apps is the update app with the package name, which is a pre-installed system app. This app is not only the system updater of the mobile device, but also an auto-installer.

This auto-installer is the system updater of many Chinese-made Android mobile devices and is pre-installed on the device at the factory. Security researchers also refer to the package as Android/PUP.Riskware.Autoins.Redstone, that is, riskware. According to Nathan Collier, this auto-installer installs three versions of Android/Trojan.Downloader.Agent.WAGD.

  • Package name: com.wagd.gem; App name: gem
  • Package name: com.wagd.smarter; App name: smart
  • Package name: com.wagd.xiaoan; App name: xiaoan

This is consistent with the descriptions in my blog posts (see German blog post Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten, where I mentioned more malicious apps that has been found may). Collier has posted some screenshots of the apps from mobile devices in the blog post.


PUP.Riskware.Autoins.Redstone(Source: Malwarebytes)

Combining my information from Gigaset with the findings at Malwarebytes, attackers have probably managed to compromise the update server (from Adups) in such a way that it installs the Trojans via the process. In the blog post, Nathan Collier lists the Android devices that he believes are affected (so it's not just Gigasets):

  • Gigaset GS270; Android OS 8.1.0
  • Gigaset GS160; Android OS 8.1.0
  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0

However, I would not put my hand in the fire that Gigaset models not listed are not affected (the users here on the blog report more Gigaset models than affected. Collier only mentioned a few test devices on which he found the auto-updater.

Here, the basic problem becomes visible, which was also already mentioned by German blog reader Bolko in the comments to some of my blog posts. On the one hand, every Android device actually needs an updater for the firmware and the apps. On the one hand, there is a built-in predetermined breaking point for infections. It also means that if an attacker access to the update infrastructure, it can shut down all devices, bug them, or equip them with Trojans, as it pleases. I would clearly feel better if these updaters were under control of companies like Google or Samsung. On the other hand, the bitter truth is that we have an auto-updater in the firmware of many Chinese Android devices, which is classified as riskware by security researchers.

The implications for WhatsApp

Since there are many users on the German blog whose WhatsApp account or phone number has been blocked and who are bombarded with WhatsApp messages from Africa, South America or Asia after they have been unblocked again, I'll take up the findings with regard to this service or app. Colier writes in his blog post:

  • that the Android/Trojan.Downloader.Agent.WAGD is able to send malicious messages via WhatsApp, open new tabs in the default web browser to game websites, download more malicious apps, and possibly perform other malicious behaviors. The malicious WhatsApp messages are most likely used to further spread the infection to other mobile devices.
  • that some users have also experienced Android/Trojan.SMS.Agent.YHN4 being installed on their mobile devices. The download and installation of this SMS agent is due to the fact that Android/Trojan.Downloader.Agent.WAGD visits gaming websites that contain malicious apps. As a result, the mobile device contains malware that is capable of sending malicious SMS messages. As for the malicious WhatsApp messages, it can additionally send malicious SMS messages to spread the infection further.

According to my current assessment, the devices are compromised to the maximum and my recommendations in the German blog post Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten, to shut down the devices, remove the battery and SIM cards, given a few day ago, are proving to be correct. Whether Gigaset will manage to clean up this hodgepodge of Trojans, I have my doubts. I also have the feeling that a re-infection can happen via other Android devices that are contacted via WhatsApp or malicious SMS.

If you want to be on the safe side, shut down your Gigaset Android device for good, remove the SIM card and do not use it anymore. After all, it can't be guaranted that a malicious function didn't returns via WhatsApp or an SMS. And at this point, I would like to repeat my advice:

If Gigaset devices are used for business purposes in Europe, the data protection relevance of the malware infection must be evaluated. The responsible data protection supervisory authority may have to be informed about a possible GDPR incident within 72 hours. I raise this point because some users report blocked WhatsApp accounts – so I assume that the malware accessed WhatsApp and then actively posted something. So WhatsApp contact data has to be quoted as stolen.

The post by Nathan Collier still contains some information that you can not easily remove the system updater. He mentioned also ADB to remove infected apps  – as well as it was proposed within the comments I received within my German blog. I'll put it this way: if you are very experienced and willing to take risks, you can try the cleanup. However, I would not dare to do that – given the bouquet of possible compromises. Instead, the procedure would be: You get a clean image of the Gigaset firmware as well as instructions on what partitions you need to wipe on the memory of the mobile device. Then you install this clean firmware image, delete the various caches, change the SIM card and change all online access data. I would not use WhatsApp again – and incoming SMS messages should be handled with care – especially from unknown senders. That is, of course, an extreme position. At the moment, most users can only wait and see what details Gigaset will provide.

Similar articles:
German Gigaset Android Update Server probably delivers malware
Neues zum Gigaset Android-Smartphone Malware-Befall (April 2021) (German)
Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten  (German)
Update on malware attack on Gigaset Android devices (April 6 2021)
Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *