Proprietary 2021-03-27 · 11 days ·Malware Distribution, Downloader, Sms Abuse, Adware

Gigaset update service delivered malware

Older Gigaset Android phones received malware through the pre-installed Update app after an external update service server was compromised. Reports began around late March and early April 2021, with Gigaset saying the infection was stopped on April 7.

Story

The Gigaset incident used Android maintenance software. The package com.redstone.ota.ui was a pre-installed system updater, not an app a user had chosen from a store. On affected older phones, that trusted update path reinstalled malware after users removed it.

Malwarebytes identified the updater as Android/PUP.Riskware.Autoins.Redstone and reported that it installed Android/Trojan.Downloader.Agent.WAGD payloads with package names beginning com.wagd.. Users saw browsers opening to game sites, unwanted apps returning after deletion, and messages sent through WhatsApp. Some devices also received Android/Trojan.SMS.Agent.YHN4, adding SMS abuse to the chain.

The persistence came from the supply chain position. Because the updater lived in the system image, ordinary uninstall attempts removed only the visible payloads. The same trusted maintenance component could restore them, which made the compromise feel to users like a phone that kept reinfecting itself.

Gigaset later said older GS100, GS160, GS170, GS180, GS270, GS270 plus, GS370, and GS370 plus lines were potentially affected, while newer listed models were not. The company attributed the malware installation to a compromised server belonging to an external update service provider and said the infection path was stopped on April 7, 2021.

Affected Artifacts

com.redstone.ota.ui

android · gigaset.com · System App

Observed: 2021-03-27 to 2021-04-07
Compromised Versions: Unknown
Fixed: Not listed
Evidence: pkg://android/com.redstone.ota.ui, mirror: malwarebytes.com/blog/news/2021/04/pre-installed-auto-installer-threat-found-on-android-mobile-devices-in-germany, mirror: bleepingcomputer.com/news/security/gigaset-android-phones-infected-by-malware-via-hacked-update-server, package: com.redstone.ota.ui , +14 more

Gigaset said only some devices from older product lines were infected and that affected devices were those where past software updates had not been carried out by the user.
Potentially affected Gigaset lines were GS100, GS160, GS170, GS180, GS270, GS270 plus, GS370, and GS370 plus.
Malwarebytes also observed Android/PUP.Riskware.Autoins.Redstone on Siemens GS270, Siemens GS160, Alps P40pro, and Alps S20pro+ devices.
Gigaset said GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3, and GS4 were not affected according to its information at the time.

Incident Context

Motive: Malware Distribution
Cause: Update Infrastructure Compromise
Transitive: No

External References

Pre-installed auto installer threat found on Android mobile devices in Germanymalwarebytes.com
Another supply-chain attack? Android maker Gigaset injects malware into victims' phones via poisoned updatetheregister.com
Gigaset Android phones infected by malware via hacked update serverbleepingcomputer.com

Source record: proprietary/gigaset/meta.yaml