Pre-Installed Malware Dropper Found On German Gigaset Android Phones


In what appears to be a fresh twist in Android malware, users of Gigaset mobile devices are encountering unwanted apps that are being downloaded and installed through a pre-installed system update app.

“The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui, which is a pre-installed system app,” Malwarebytes researcher Nathan Collier said. “This app is not only the mobile device’s system updater, but also an auto installer known as Android/PUP.Riskware.Autoins.Redstone.”

The development was first reported by German author and blogger Günter Born last week.

password auditor

While the issue seems to be mainly affecting Gigaset phones, devices from a handful of other manufacturers appear to be impacted as well. The full list of devices that come with the pre-installed auto-installer includes Gigaset GS270, Gigaset GS160, Siemens GS270, Siemens GS160, Alps P40pro, and Alps S20pro+.

According to Malwarebytes, the Update app installs three different versions of a trojan (“Trojan.Downloader.Agent.WAGD”) that’s capable of sending SMS and WhatsApp messages, redirecting users to malicious game websites, and downloading additional malware-laced apps.

“The malicious WhatsApp messages are most likely in order to further spread the infection to other mobile devices,” Collier noted.

Users have also reported experiencing a second separate strain of malware called “Trojan.SMS.Agent.YHN4” on their mobile devices after landing on gaming websites redirected by the aforementioned WAGD trojan, which mirrors the latter’s SMS and WhatsApp messaging functionality to propagate the malware.

Unlike third-party apps downloaded from the Google Play Store, system apps cannot be easily removed from mobile devices without resorting to tools like Android Debug Bridge (ADB).

password auditor

For its part, Gigaset confirmed the malware attack, stating that an update server used by the devices to fetch software updates was compromised and that only devices that relied on that specific update server were affected. The company has since fixed the issue and is expected to push an update to remove the malware from infected phones, according to Born.

The development comes a week after cybersecurity researchers revealed a new Android malware that was found to pilfer users’ photos, videos, and GPS locations by sending a fraudulent notification posing as a “System Update” that is “Searching for update.”

When reached for a response, Gigaset said it’s investigating the software supply chain incident, adding “we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.”

“It is also important to mention at this point that, according to current knowledge, the incident only affects older devices. We currently assume that the devices GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290plus, GX290 PRO, GS3 and GS4 are not affected,” it noted.





Source link

Mourad ELGORMA

Mourad ELGORMA

Fondateur de summarynetworks, passionné des nouvelles technologies et des métiers de Réseautique , Master en réseaux et système de télécommunications. ,j’ai affaire à Pascal, Delphi, Java, MATLAB, php …Connaissance du protocole TCP / IP, des applications Ethernet, des WLAN …Planification, installation et dépannage de problèmes de réseau informatique……Installez, configurez et dépannez les périphériques Cisco IOS. Surveillez les performances du réseau et isolez les défaillances du réseau. VLANs, protocoles de routage (RIPv2, EIGRP, OSPF.)…..Manipuler des systèmes embarqués (matériel et logiciel ex: Beaglebone Black)…Linux (Ubuntu, kali, serveur Mandriva Fedora, …). Microsoft (Windows, Windows Server 2003). ……Paquet tracer, GNS3, VMware Workstation, Virtual Box, Filezilla (client / serveur), EasyPhp, serveur Wamp,Le système de gestion WORDPRESS………Installation des caméras de surveillance ( technologie hikvision DVR………..). ,

Laisser un commentaire