Gigaset smartphones infected with malware due to compromised update server

Hackers have compromised at least one update server of German smartphone maker Gigaset and deployed malware to some of the company's customers.

The German company, which previously operated under the Siemens Mobile and BenQ-Siemens brands and was one of the largest mobile phone makers in the early 2000s before the smartphone era, admitted to the security breach in statements today to German news sites Heise and BornCity.

According to reports from German bloggers, Twitter users, and the Google support forums, the security breach appears to have taken place on Friday, April 2, 2021.

Starting Friday, users reported the sudden installation of never-before-seen apps that appeared to drain device batteries and repeatedly opened web browsers to gambling and ad-laden sites (see images in the tweet below).

Auf dem Smartphone meiner Mutter ist eine Malware-App, die sich irgendwie versteckt und nicht deinstallieren lässt (wir haben schon unzählige Apps deinstalliert): ständig öffnet sich der Chrome-Browser von selbst und öffnet solche Werbungs-Websites: 1/x pic.twitter.com/ABKtR4vnrx

— das Menschy (@das_Menschy) April 3, 2021

Furthermore, device owners also reported that their devices sent unsolicited SMS and WhatsApp spam, with some users having WhatsApp accounts suspended for suspicious activity. In addition, some users also reported losing control over their entire Facebook accounts.

Gigaset working on solution to remove malware

According to information shared by users who had smartphones impacted by this incident, the following apps appear to have been installed without permission since last week:

 com.yhn4621.ujm0317
 com.yileiya.ayase ("Tayase")
 com.wagd.xiaoan ("xiaoan")
 com.wagd.smarter ("smart")
 com.dolphinstudio.hook
 com.dolphinstudio.taiko
 com.relax.rain
 BBQ Browser
 easenf

Many users reported difficulties in removing the apps, which reappeared on users' devices after being uninstalled.

But according to Gigaset, not all users were impacted by this incident, and only those who received firmware updates from one specific server. The company says it's currently working "on a short-term solution for the affected users."

We are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem.

Gigaset spokesperson

The smartphone maker hopes to have a solution ready within 48 hours to remove the malware from affected devices.

Gigaset said that mostly older devices were impacted and received tainted firmware updates. Newer models were not affected, the company said. Non-impacted Gigaset models included GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3, and GS4.