Gigaset mobile devices users are encountering unwanted apps that are being downloaded and installed through a pre-installed system update app.
“The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui, which is a pre-installed system app,”
While the issue seems to be mainly affecting Gigaset phones, devices from a handful of other manufacturers appear to be impacted as well. The full list of devices that come with the pre-installed auto-installer includes Gigaset GS270, Gigaset GS160, Siemens GS270, Siemens GS160, Alps P40pro, and Alps S20pro+.
The Update app installs three different versions of a trojan that’s capable of sending SMS and WhatsApp messages, redirecting users to malicious game websites, and downloading additional malware-laced apps.
The malicious WhatsApp messages are most likely in order to further spread the infection to other mobile devices.Users have also reported experiencing a second trojan called “Trojan.SMS.Agent.YHN4” on their mobile devices after landing on gaming websites redirected by the aforementioned WAGD trojan, which mirrors the latter’s SMS and WhatsApp messaging functionality to propagate the malware.
Unlike third-party apps downloaded from the Google Play Store, system apps cannot be easily removed from mobile devices without resorting to tools like Android Debug Bridge (ADB).
Gigaset confirmed the malware attack, stating that an update server used by the devices to fetch software updates was compromised and that only devices that relied on that specific update server were affected. The company has since fixed the issue and is expected to push an update to remove the malware from infected phones.