Threat actors compromised at least one update server of smartphone maker Gigaset and infected a firmware update with malware.
Gigaset AG, formerly known as Siemens Home and Office Communication Devices and a multinational corporation based in Germany, fell victim to a supply chain attack that took place around April 1, 2021.
According to a blog post by BornCity, multiple users have reported on the Google support forums that their devices were infected with adware and displayed unwanted ads. Among other issues reported by multiple users are browser windows suddenly opening with advertisements or redirecting to gambling sites, WhatsApp accounts blocked due to critical activities, Facebook accounts taken over, SMS messages sent automatically, devices going into “do not disturb” mode, the battery draining quickly, and smartphones becoming slow.
The German maker confirmed the supply chain attack and said the malware was delivered to the Android devices of the German vendor in a firmware update from a compromised server.
The German website heise.de published an incomplete list of malware package names and services that have been installed on the devices of the users:
- easenf
- com.wagd.smarter
- com.wagd.xiaoan
- according to
- smart
- AppSettings
- Tayase
- com.yhn4621.ujm0317
- BBQ browser
There are indication of data theft as well: “Initial indications from affected users suggest that data may also have been deducted from the smartphones,” states BornCity website.
One of the most disturbing symptoms reported by the Gigaset users is the sending WhatsApp and SMS messages, in some cases, WhatApp suspended the accounts for suspicious activity.
The vendor is already working “on a short-term solution for the affected users.”
Gigaset assured it is working closely with IT forensic experts and the relevant authorities.
The incident only affects older devices.
“GS110, GS185, GS190, GS195, GS195LS, GS280, GS290, GX290, GX290 plus, GX290 PRO, GS3, and GS4 devices are not affected,” said a Gigaset spokesperson.