[German]In Part 1 I had analyzed the information Lösung Malware-Angriff Smartphones released by the company Gigaset on April 8, 2021 with regard to the automatic deletion of the malware infection of various Android devices. This works, according to previous feedback, for some people, but it is not really reliable. Now, Gigaset has additionally published instructions on how to clean the devices manually. Here's a look at that issue, as well as a listing of issues that aren't addressed at all in the Gigaset information.
Manual cleanup of the infection?
In the blog post Lösung Malware-Angriff Smartphones the vendor Gigaset gives users instructions on how to check devices for an infestation. For this purpose, the manufacturer provides the following instructions:
Check if your device is affected
- Check your software version. The current software version can be found under "Settings" à "About the phone" at the bottom under "Build number".
- If your software version is lower or equal to the below mentioned bolded version numbers, your device is potentially affected
- GS160 all software versions
- GS170 all software versions
- GS180 all software versions
- GS100 up to version GS100_HW1.0_XXX_V19
- GS270 up to version GIG_GS270_S138
- GS270 plus up to version GIG_GS270_plus_S139
- GS370 up to version GIG_GS370_S128
- GS370 plus up to version GIG_GS370_plus_S128
This can be left as it is for now. Then there are the following instruction steps to determine whether malware apps are installed on the device:
- Start the smartphone
- Check if your device is infected by going to "Settings" à "App" and checking if one or more of the following apps are displayed:
- If you find one or more of the above apps, please delete them manually.
- Open the settings (gear icon).
- Tap Apps & Notifications.
- Tap on App Info.
- Tap the app you want to delete.
- Click on the uninstall button.
This approach alone has some flaws that make you doubt the sense of the instructions.
- The list of apps above is incomplete – blog reader Bolko has already touched on it in this German comment. Depending on the device, there will be more malware apps that are not included in the uninstall instructions above.
- In addition, I refer to my post Preliminary analysis of Gigaset malware attack through auto-installer in firmware with the analysis by Nathan Collier. This points out that the auto-installer installs three versions of Android/Trojan.Downloader.Agent.WAGD (Gem, Smart, Xioan).
According to Collier's analysis, Android/Trojan.Downloader.Agent.WAGD is able to open new tabs in the default web browser to game websites, download more malicious apps and possibly perform other malicious behaviors. Collier writes that some users have also found the Android/Trojan.SMS.Agent.YHN4 malicious app on their mobile devices. The download and installation of this SMS agent is due to the fact that Android/Trojan.Downloader.Agent.WAGD redirected users to gaming websites, which in turn contain malicious apps. This also explains that users have found crypto-miners and other malicious apps on their devices.
The blog then also receives user messages like this German comment confirming the reinstallation of the malicious app com.yhn4621.ujm0317:
just observed a self-installing com.yhn4621.ujm0317 after I uninstalled everything according to the instructions.
Now also uninstalled this, it was not in my app list before, just popped up with an install request,
with reject clicked away and still on it
Another user recently contacted me with the following comment:
Dear Mr. Born,
about 1/2 hour after you posted the message from Gigaset, I uninstalled the above malware from my GS170 again. And 1/4 hour later Tayase was back on. Either the server is still spitting, or my GS170 is now reinstalling on its own, but it's not warming up right now….
Again, this ultimately confirms that manually uninstalling the malware wasn't really possible. On the other hand, blog reader Bolko lists locations in this comment where a "cleanup" supposedly worked. The opposite experience is described in this comment, where the GS160 no longer boots.
Note: Currently, it appears that the auto-updates at least try to install a clean firmware image on the device. According to the comment here, the download of the repair files is extremely slow and can take up to 8 hours. These 8 hours are also mentioned by Gigaset in the repair note.
The bottom line is: The infected devices are compromised, no one knows exactly which malware was installed on the respective devices and is still active. Attempting to remove the malware manually is like playing Russian roulette: it may work, but it doesn't have to and it can even go badly wrong. At most, it would be helpful on the premise that you clean the device for the time being, in the hope that the automatic update can update the firmware image before re-infection and thus remove all malware and reliably prevent re-infection.
When I had the first phone call with Gigaset technology, my hope was that the whole thing would be solved more radically, if necessary. Users are offered a clean installation image of the firmware via update, which is then manually downloaded and installed on the device. All partitions (including the data and Dalvik cache) are also emptied in the process, as outlined here. Whether this works through the auto-update in this radical form, reliably for the mass of those affected, is unclear to me so far. It does not leave me with a good feeling of the kind "I'm sure everything is eliminated". So every device owner has to decide for himself how to proceed.
Contact vendor support
At this point, I'm going to hit the brakes hard. When a car experiences something of a problem, there is a recall from the manufacturer to have the cause fixed by specialist repair shops. I postulate that a majority of Gigaset customers are not able to cleanly perform the above steps to manually clean up the infected device. And even those who have successfully gone through the automatic repair or cleaned the device manually are subject to a residual risk. Gigaset writes in its instructions:
Now check again whether all of the above apps have been uninstalled. If the apps are still present, please contact Gigaset Service at +49 (0)2871 912 912 (At your provider's landline rate).
I recommend accepting this offer and insisting on a "repair" of the device by the manufacturer. Because in the end it is like the above mentioned car: The customer has bought and paid for the product and then it does not correspond in its characteristics to the manufacturer's specifications. So the manufacturer has to repair it at his own expense.
What was not addressed
Apart from the question: Is it possible to reset the compromised smartphone to a secure and clean state, Gigaset did not address the following points at all in its instructions here:
- It is known that owners of compromised devices with WhatsApp were locked out of their account and received WhatsApp messages from all over the world after the account was unlocked again. So the SIM card phone number assigned to WhatsApp has been widely distributed. What about the phone number compromised in WhatsApp? Can the device be re-infected via WhatsApp as a result of this incident?
- It is known that SMS messages were sent via compromised devices – it is suspected that this was an attempt to spread the malware. It is possible that premium services were also targeted via SMS. Who will pay for the costs and consequences?
- In the article Preliminary analysis of Gigaset malware attack through auto-installer in firmware, I had mentioned the observation that the malware routines booked paid options on gambling sites or in apps, the costs of which are collected via the mobile carrier. If this is the case, who will pay for this damage?
There is also the risk of data leakage – what exactly the malware apps did is not clear from the Gigaset information. Companies that have used Gigaset devices or employees who use the smartphone professionally have to evaluate the data protection relevance of the malware infestation. It may be necessary to inform the responsible data protection authority about a possible DSGVO incident within 72 hours. I had already recommended this in the German article Malwareangriff: Was Gigaset Android-Gerätebesitzer jetzt machen sollten
It may be that the information I gathered in the two articles is not accurate in all points – and many devices are somehow cleaned of malware via auto-update – we will have to wait and see. What can be stated, however: Gigaset mobile devices were infected by malware via update servers of the manufacturer without the owners' intervention or fault. Whether the automatic or manual cleanup of infected devices will work after 8 or 10 hours remains to be seen – I'm skeptical.
In addition, the instructions should definitely have included a note to remove the SIM cards during the 8-hour auto-repair to prevent SMS and WhatsApp messages from being sent via the infected apps/devices. A large part of the users will also not be able to perform a manual cleanup of the devices. And whether for sure all malware on the device is removed, who wants to guarantee that?
How it looks like with the phone number and incurred costs is completely open. In addition, it appears that this was not the first incident with malware at Gigaset and that at least parts of the software are delivered via China. It is up to each user to decide whether they want to continue using the mobile devices and store very sensitive or important data there. From my point of view, it is too early for an all-clear of the kind "phew, another good thing". I would have wished it differently for those affected and the manufacturer.
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2
Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)
Cookies helps to fund this blog: Cookie settings