The upgrade server for Gigaset has been hacked. Malware is a persistent threat to smartphone users

Gigaset, a major German Android software maker, was hacked and malware and unauthorized programs were sent from its upgrade site. Just a few users, however, were affected.

Some creatures, such as Trojans

Since the end of March 2021, owners of Android smartphones from the German manufacturer Gigaset have periodically found malware on their computers. The perpetrators were able to get access to the company’s upgrade server, as it turned out.

Owners of Gigaset devices have noticed that their phones have been opening a browser and displaying advertisements for mobile games since March 27. Unknown entity “easenf” emerged among the installed programs, according to Bleeping Computer, and was stubbornly reinstalled after each uninstallation.

Hacker Hacker using phone at dark

The program was installed by the machine itself, or more generally, by the function of its upgrading, as experts from the BornCity resource discovered. Aside from “easenf,” a few other applications – “gem,” “smart,” and “xiaoan” – made their way to smartphones in the same way. They quickly reappeared on smartphones after each deletion, without the permission or consent of consumers. VirusTotal classifies both of these programs as adware or third-party downloaders.

On certain computers, the Trojan Android / Trojan.SMS.Agent.YHN4 was also installed; as its name suggests, it can send SMS and uses this for further delivery. If the WAGD version of the Trojan is mounted on the system, it will try to spread further through WhatsApp messages.

According to Malwarebytes, the first thing to do on a smartphone is the Redstone downloader (Android / PUP.Riskware.Autoins.Redstone; on the Android system it is registered as the com.redstone.ota.ui system application), which then downloads three versions of the Trojan downloader Android / Trojan. Downloader.Agent.WAGD – com.wagd.gem, com.wagd.smarter and com.wagd.xiaoan, which are already installed in the system as standalone applications.

Updates are disabled.
According to Malwarebytes, autoinstallation can be stopped by entering developer mode and typing the following command: disable-user –user 0 com.redstone.ota.ui adb shell

Device upgrades will be disabled as a result of this action.

In evasive terms, Gigaset verified the existence of issues – but only for older computers.

Günter Born (Günter Born), editor of BornCity, claims that the Gigaset rang, and he was told that the upgrade server had been hacked. However, it is unclear why this issue affects only older models in this situation.

The Redstone Trojan was discovered not only on Gigaset computers, but also on Siemens (GS270 and GS16, Android 8.1.0) and Alps (P40pro and S20pro +, Android 9.0 and 10.0, respectively) smartphones, according to Malwarebytes.

“It’s also a little shocking that all was reduced to promotional cheats,” says Dmitry Gvozdev, CEO of Information Technologies of the Future. – Maybe not all of the effects is apparent to consumers. Such attacks, if we’re talking about hacking Gigaset’s central upgrade site, are among the most dangerous because of the large number of casualties and the failure of the overwhelming majority of end users to protect themselves.

The incident is being investigated by Gigaset.