Auto-Updater app downloads Malware
A new, unknown until now Android malware problem that plagues specific smartphone models was recently reported. It appears that the issue is limited to certain Gigaset smart device models as well as models from a couple of other mobile device brands. Apparently, hackers have managed to download Trojan Horses on the affected devices through automatic fake updates that the users have no control over.
Security researchers report that the software responsible for automatically downloading Trojans is a pre-installed com.redstone.ota.ui Update app. This app is pre-installed in the affected devices and therefore users have no say in whether it’s going to be on their phone or not – it is already there once they buy the device. Another name that is used to refer to the malicious part of this app – the one responsible for downloading malware – is Android/PUP.Riskware.Autoins.Redstone.
The first person to find out about this problem is the Günter Born, a German blogger and author, who discovered the malicious auto-updater last week.
It is presently known that the malicious auto-updater is responsible for spreading three different variants of a malicious Trojan Horse known as Trojan.Downloader.Agent.WAGD.
Some of the things that this malware is known for are automatically sending out WhatsApp and SMS messages from the infected device, downloading more malware onto the phone, and redirecting the user to websites with malicious and harmful contents. It is thought that the messages sent by the Trojan to other users are to further propagate the infection to other devices.
Some users also report that they have encountered another Trojan on their devices after the WAGD one rerouted them to malicious gaming sites. The second Trojan is named Trojan.SMS.Agent.YHN4 and, similarly to WAGD, this one automatically sends out WhatsApp messages to other users to help spread its infection.
One of the main problems with this situation is that, unlike third-party applications that users download from the Google Play Store or from other download platforms, pre-installed software can be rather difficult to remove from the device. Usually, the user would need to resort to specialized tools such as Android Debug Bridge (ADB) and have some advanced knowledge on how to use it. Also, since the updates are automatic, most people don’t even realize when they get installed and so the malware can enter the system without being noticed. It is possible to restrict the automatic updates on a device that may be exposed to this risk, but this is not suggested as there’s already a fix in the works that should soon start to get automatically installed on the affected device.
Gigaset Addressing the Problem
Speaking of the fix, Gigaset has addressed this issue and has come up with a fix that they will soon push as an automatic update.
According to the company, the reason for this issue is that one of their servers that’s responsible for fetching updates to Gigaset devices got compromised by hackers who began to use them for spreading malware through the pre-installed auto-update app that all of the mentioned Gigaset devices have. This is also the reason why only certain devices – the ones that relied on the hacked server for updates – got infected by malware.
This isn’t the first recent instance of Android malware using automatic updates to attack users, compromise their systems, and gain access to their data. A week ago another new Android malware got discovered, which installs in the system through a fake update request – “Searching for update” – and then targets the user’s photos, GPS locations, videos, and other private data.