Malware infection of Gigaset Android phones and the WhatsApp/SIM problem

[German]After the (supply chain) malware attack on various Gigaset Android smartphones, WhatsApp access was blocked for many users. There is an option to have the access unlocked again. Since several people have asked whether it is safe to continue using the SIM card and WhatsApp with the phone number, I have compiled some information.


Advertising

The drama around the supply chain attack on the Gigaset Android update servers and the infection of various device models with malware was covered in the blog posts linked at the end of the article (see e.g. German Gigaset Android Update Server probably delivers malware). Some users hoped that the manufacturer Gigaset would find a solution to reliably rid the devices of the malware infestation. Currently, however, it does not look like the approaches are too successful (see, e.g., Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)). My advice was, and in the meantime continues to be, to decommission the devices. What remains, however, is the question: what about the SIM card and my WhatsApp account. Therefore, here is a summary of what you should know as a user.

The malware and WhatsApp

In the comments to the German blog postGigaset Android-Update-Server liefern vermutlich Malware aus, many affected people state that the WhatsApp account has been blocked. So something serious must have happened to the WhatsApp account after the malware attack on the devices for the operator to block the account. 

Meanwhile, the matter is clearer, as I had prepared the analysis of MalwareBytes security researchers in the blog post Preliminary analysis of Gigaset malware attack through auto-installer in firmware:

The Android/Trojan.Downloader.Agent.WAGD installed on the devices is capable of sending malicious messages via WhatsApp, among other things.

According to MalwareBytes security researchers, the malicious WhatsApp messages are most likely used to further spread the infection to other mobile devices.

It was also stated that malware capable of sending malicious SMS messages was found on some devices.

From that point on, it was clear that people should not only shut down their devices, but also keep their WhatsApp accounts locked until all implications are clarified. The fact that some users had their infected devices unblocked from WhatsApp and were subsequently blocked again several times is an extremely unpleasant state of affairs!

Note: In his April 10, 2021 article, Forbes has a nasty surprise in store for WhatsApp’s 2 billion users. Attackers can, if the phone number of a WhatsApp account is known, deactivate it via a phone call. It is also possible to prevent users from logging back into WhatsApp. Even two-factor authentication will not prevent this. 

The WhatsApp account has been abused

The above alone should give WhatsApp users food for thought. Going through the comments here on the blog about my various Gigaset posts, it becomes clear that the malware must have done a serious abuse of WhatsApp. Here is a German comment excerpt:


Advertising

There was a strange message on WhatsApp ( Asian/South American looking uniformed gentleman; later woman m. child of same origin.) which I deleted.

User Manu writes in this comment

Whatsapp was also blocked. After about 24 hours I was able to reinstall it. Then I had masses of messages from foreign numbers. After researching I found out the numbers came from Nigeria.

Alos in this German comment someone describes calls from Nigeria, India and surroundings after a WhatsApp block. The same information can be found in this German comment, and here someone even lost contacts in WhatsApp as well as got a new contact added – in other words: the contact list was modified. In this German comment it says: 

Hello, good morning, I have the same problem with a GS270 Plus. However, I have come to the conclusion that the mentioned files are spread via whatsapp. Reason: After uninstalling the files, they regularly reappear as soon as I have called whatsapp. This is also supported by the fact that devices without SIM cards are not affected.

In this German comment, user Jeff describes his experiences with the malware very vividly: access to the phone number, conversations can be listened to, numbers are dialed, WLAN connection can be disconnected, accounts with various online providers are closed (probably due to attempts to take over the account). From this point on, I would decide for myself that WhatsApp is burned – because there is a risk that my contact list will be evaluated by the pests and my circle of acquaintances will then be graced with malware (although I note here that I have not installed WhatsApp since 2018 for GDPR/privacy reasons). 

WhatsApp takeover attempts

In this German comment, , a user reports that the attackers tried to take over his WhatsApp account – and in this comment, someone writes:

Whatsapp blocked. Number can no longer be reactivated -> request WhatsApp running.

Uninstall apps -> no effect

Interesting: data must have been compromised as I received a message about Telegram (which my mom does not have and is not installed on the Gigaset). Thought, oh how cool and replied with Hi -> message was transmitted and also read … But not on my mother’s Gigaset, which has no Telegram at all!

On Facebook, I had contact in a security group with a victim who has also made extremely unpleasant experiences. He responded to my post about the malware infestation and said that his GS 270 was not compromised. I advised him to run an antivirus app with it. A few hours later, the user in question came back with the following comment.

It happened last night now. An app named com.inaction popped up on the device, and I was suddenly locked into What App. I have deleted com.inacton, and after a mail to the support Whats App could unlock by calling. By SMS did not work, apparently what was also turned that the activation SMS does not come through. I then found chat histories with a number that starts with +60 [I do not know]. I have now taken the device out of service and will no longer use it, as soon as I have a replacement device I will destroy it with a thick hammer.

In a follow-up, the user still writes, interesting is in any case the modification of the infectious apps. Apparently, one reacts to the fact that there are lists with the apps. At the latest since this experience, WhatsApp has become an incalculable risk in my eyes.

SMS messages after device change

Finally, I can refer to this comment from German blog reader Ger, who described his experiences.

my acquaintance has retired his Gigaset the SimKarte in a Xiaomi Mi A2 Lite inserted and set up (Whatsapp, Telegram, etc.) and since hourly receives any SMS with text and links in different languages gambling, DHL and Amazon.

And now you decide whether the phone number of the SIM card that was used in the infected Gigaset phone can be used on another device in good conscience. If you have a contract that is still running, I would contact the support of the mobile provider and clarify whether a change of the phone number including SIM card is possible. 

Similar articles:
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware

Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2
Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in devices, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *