fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Gigaset Android Phones Infected By Malware Via Hacked Update Server

Gigaset Android Phones Infected By Malware Via Hacked Update Server

Owners of Gigaset Android phones have been repeatedly infected with malware since the end of March after threat actors compromised the vendor’s update server in a supply-chain attack.

Gigaset is a German manufacturer of telecommunications devices, including a series of smartphones running the Android operating system.

Starting around March 27th, users suddenly found their Gigaset mobile devices repeatedly opening web browsers and displaying advertisements for mobile game sites.

When inspecting their phone’s running apps, users found an unknown application called ‘easenf ‘ running, that when deleted, would automatically be reinstalled.

According to the German tech site BornCity, the easenf app was installed by the device’s system update app. Other malicious apps found alongside it include ‘gem’, ‘smart’, and ‘xiaoan.’

“Three malware apps were installed on each of the two affected smartphones, which could fortunately be terminated and uninstalled without any problems, but which were then repeatedly reloaded by the update app running in the background as a system process, unless the update app was terminated manually after each restart: easenf or gem, and in both cases smart and xiaoan,” a reader told BornCity.

Gigaset users uploaded some of these malicious packages to VirusTotal [12], where they are detected as adware or downloaders.

Since the attack began, Malwarebytes has been supporting Gigaset owners on their forums and is detecting the threat as ‘Android/PUP.Riskware.Autoins.Redstone.’

Based on their research, Malwarebytes states that the ‘Android/PUP.Riskware.Autoins.Redstone’ app will download further malware on devices that are detected as ‘Android/Trojan.Downloader.Agent.WAGD.’

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

Malicious apps installed on Gigaset phones
Source: Malwarebyte forum

These secondary payloads all start with the name ‘com.wagd,’ and have been seen using the com.wagd.xiaoancom.wagd.gemcom.wagd.smarter, and com.yhn4621.ujm0317 package names.

Malicious gem app installed on a Gigaset device

Malwarebytes states that these app will display advertisements, install other malicious apps, and attempt to spread via WhatsApp messages.

Malwarebytes found this supply-chain attack is affecting the following Gigaset Android devices:

  • Gigaset GS270; Android OS 8.1.0
  • Gigaset GS160; Android OS 8.1.0
  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0

To prevent the malicious packages from being reinstalled by Gigaset’s compromised update server, a user told Born that they had to forcibly disable the device’s update app using the developer options and adb with the following command:

adb shell pm disable-user –user 0 com.redstone.ota.ui

Gigaset confirms cyberattack

In a call with Gigaset, Günter Born of BornCity was told that one of the company’s update servers was compromised and used to push down malicious apps.

“An update server used by Gigaset devices for updating was compromised, so that the affected devices were infected by malware,” explains Born.

Gigaset’s SVP of Corporate Communication Raphael Dörr shared the following statement with BleepingComputer regarding the attack and how to remove the malware:

During routine control analyses we noticed that some older smartphones are having problems with malware. This finding was also confirmed by individual customers after enquiries were made. We immediately started investigating the incident intensely by working closely with IT forensic experts and the responsible authorities. In the meantime we were able to identify a solution to the problem.

Only older smartphone models of the GS100, GS160, GS170, GS180, GS270 (plus) and GS370 (plus) series are potentially affected.

Not affected by this incident are the smartphone models of the GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 series.

According to our latest information only some devices from the affected product lines were infected. Only devices on which the software updates provided by Gigaset in the past were not carried out by the user are affected. Malware was installed on these devices by a compromised server belonging to an external update service provider.

Gigaset took immediate action and contacted the update service provider. The update service provider also took immediate action and confirmed to Gigaset that the infection of smartphones could be stopped on 7 April.

Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data). We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within 8 hours.

Also Read: 4 Considerations In The PDPA Singapore Checklist: The Specifics

Alternatively, users can check and clean their devices manually. Please proceed as follows:

Check if your device is affected

  1. Check your software version. The current software version can be found under “Settings”à “About the phone” and at the bottom under “Build number”.
  2. If your software version is lower than or equal to the bolded version numbers below, your device could potentially be affected
    • GS160: all software versions
    • GS170: all software versions
    • GS180: all software versions
    • GS100: up to version GS100_HW1.0_XXX_V19 
    • GS270: up to version GIG_GS270_S138 
    • GS270 plus: up to version GIG_GS270_plus_S139  
    • GS370: up to version GIG_GS370_S128 
    • GS370 plus: up to version GIG_GS370_plus_S128

Uninstall the malware manually

  1. Switch on the smartphone 
  2. Check whether your device is infected by verifying under “Settings” à”App” whether one or more of the following apps are displayed:
    • Gem
    • Smart 
    • Xiaoan 
    • asenf 
    • Tayase
    • com.yhn4621.ujm0317
    • com.wagd.smarter 
    • com.wagd.xiaoan
  3. If you find one or more of the above apps, please delete them manually.
    1. Open the settings (cogwheel icon).
    2. Click on Apps & Notifications.
    3. Click on App Info.
    4. Click on the desired app.
    5. Click on the Uninstall button.
  4. Now check again whether all of the above apps have been uninstalled. If the apps are still present, please contact Gigaset Service on +49 (0)2871 912 912 (At your provider’s landline rate).
  5. If all of the apps mentioned above have been uninstalled, we recommend that you carry out all software updates available for your device.

We apologise for any inconvenience caused and will keep you informed of further developments.

Update 4/8/21: Added new statement.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us