Are you familiar with tRAT malware

Gigaset: malware infestation on the manufacturer's Android devices is puzzling

Since last Friday, both the author of this article and heise online have received notices from smartphone owners from Gigaset, who suddenly found themselves confronted with malicious code on their Android devices.

The "symptoms" described range from redirecting to gambling sites and displaying advertisements, problems with WhatsApp, access to private data and the unsolicited reinstallation of unwanted apps. Permanent removal usually failed. Some point to a compromised Gigaset (update) server as a possible source of malicious code; an official statement from the company is still pending.

Update 04/06/21, 6:00 p.m .: In the meantime, Gigaset's quality assurance department has confirmed to the author of this report in advance that the company's update server had delivered the malware. Only devices that received updates from this server were affected.

According to Gigaset, the infection has been resolved and malware will no longer be delivered. The analysis is still ongoing.

Update 04/07/21, 09:50 a.m .:In the meantime, heise online has received another statement from Gigaset. According to the current state of knowledge, the incident only affects "older devices". It is currently assumed that the Models GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3 and GS4 are NOT affected. It is also assumed that "within 48 hours we will be able to offer further findings or a solution to the issue", according to the e-mail from yesterday Tuesday evening.

As soon as more information is known, we will summarize it in a new message. We have left the following message text unchanged for the time being; only the teaser was adjusted according to Gigaset's confirmation.

Affected Devices and Symptoms

According to previous user reports, various Android smartphone models from Gigaset are affected by the incidents. Specifically, the GS 170 and 180 models were named. There are also those affected with Gigaset devices in other European countries. But it is also clear that not all devices have been infected (or at least show no visible symptoms). For example, two test devices by the author, but without SIM cards, have so far remained infection-free; Readers and owners of several GS 180 devices also reported "only" two devices that were suddenly infected.

In addition to the symptoms described above, many users observe that the smartphone battery is "sucked empty" within a short time. Affected devices should also react very slowly and switch to "Do Not Disturb" mode overnight or activate automatically (a device that appears to be switched off is probably not shut down, only the display is switched off). Furthermore, those affected who use WhatsApp report to have been blocked by the instant messaging service. After the ban was lifted, they suddenly received messages from unknown senders in Latin America, Asia and Africa. Indications that the malware is improperly accessing the service and related contact details.

According to the comments of those affected, the following installed apps (or package names) and services may indicate a possible infestation. However, the list does not claim to be complete, especially since those affected keep reporting new apps and services that suddenly appear on their devices.

Source of infection unclear - indications available

The initial suspicion that the (non-) infection of a device depends on the SIM card provider or mobile network provider, has been invalidated by feedback from those affected who use different mobile network providers in Europe.

A report by an administrator on more than 100 Gigaset GS370 Plus devices in the author's blog speaks against a targeted infection of Gigaset devices via the browser, a WhatsApp message, a link in an SMS or an installed app as a source of malware . The device fleet is managed by Mobile Device Management (MDM), the possibility of installing apps is completely blocked by MDM. Only the update of the Android firmware was allowed - and still problems with malware occurred. In addition, the author has received further feedback from an administrator who operates Gigaset devices with a single app within a company, but has also found infections there.

Another victim reported that he had prevented the reinstallation of newly removed malware on his device by uninstalling the system app update.apk via the Android Debug Bridge (ADB). Overall, the indications point to an infected update server at Gigaset or to a (so far unnoticed) compromise ex works.

Gigaset is silent, BSI has been informed

In view of the possible threat to the owners of Gigaset devices, the author of this article informed the manufacturer on the night of April 3rd. Apart from a response from the support that the whole thing will be passed on, he has not received a response so far. A tweet from the author to Gigaset with the BSI for knowledge was answered by BSI President Arne Schönbohm by saying that the "next steps" were being taken care of.

In the Google support forum, a person concerned reported that Gigaset had turned him down: "Gigaset has already claimed via email (...) that it is a matter of" third-party software "because the device is via the 'SIM -Map and Google would also be connected to other servers. In addition, they push it to WebView-APK, which should be updated. Then the problem should be gone. "

A bug in the Android system component WebView caused app crashes for numerous users around two weeks ago - a problem that was neither manufacturer-specific nor, as far as known, could result in malware infections.

If in doubt, it is better to shut down first

Attempts by those affected to permanently remove the malware infection by uninstalling, resetting the devices and similar measures have so far not been crowned with success. As long as the manufacturer Gigaset cannot or does not want to disclose all the details of the infection and provide reliable remedies, the devices can simply be viewed as compromised. Administrators and data protection officers in companies affected by this incident are advised to check whether a precautionary report to the data protection supervisory authority is required within 72 hours.

The author advises those affected to shut down the device completely until the incident has been fully resolved. So remove the battery (if possible), remove the SIM card and also change the WiFi password on the router to prevent any contact with the Internet. The WiFi password change relates to devices with a built-in battery that appear to be switched off but are still active. Furthermore, as a precaution, the passwords of all online accounts that were used in connection with Gigaset devices that are not infected or not obviously infected should be changed.

Incidentally, the probably heavily frequented Gigaset forum is currently also closed - in the course of maintenance work.


Read comments (230) Go to homepage