Yes, even smart TVs can be hit by Android ransomware

David Bisson

Yes, even smart TVs can be hit by Android ransomware

Yes, even smart TVs can be hit by Android ransomware

Researchers are actively tracking a ransomware family whose variants can infect all Android devices, including smart TVs.

Security analysts at Trend Micro explain they’ve come across 7,000 variants of the ransomware, dubbed “FLocker,” since it first appeared in May 2015.

The most recent variant is a bit peculiar, however, as a blog post published by the researchers explains:

“The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards. Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs.”

Flocker
FLocker’s ransom screen

Interesting… those in the security community are well aware of another form of Android ransomware variant that goes by the name of Cyber.Police. Like FLocker, this ransomware also demands $200 worth of iTunes gift cards.

The Cyber.Police ransomware screen even bears a similar (and in some cases exact) design to that used by FLocker:

Cyber police
Cyber.Police’s ransom screen

Coincidence? Perhaps the same actors behind Cyber.Police developed FLocker? Or maybe those responsible for FLocker designed its ransomware screen after purchasing Cyber.Police’s code on the dark web?

Regardless of its relationship to Cyber.Police, FLocker hides away its code in the raw data files – specifically, in a file called form.html stored inside the assets folder. That little technique helps the ransomware avoid static code analysis.

Once the malware runs, it decrypts the form.html file and executes the malicious code.

Before FLocker proceeds any further, it first checks to see if the computer is running in any of the following countries: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, and Belarus. If it finds a match, it terminates. If not, it runs its routine after 30 minutes and starts a background service that requests device admin privileges.

Flocker bypass

Ultimately, the ransomware connects to a C&C server, delivers a new payload, and loads up the ransom screen asking victims to pay $200 in iTunes gift cards.

The researchers note an infection will likely succeed as long as it takes place on an Android device:

“The ransom webpage fits the screen, regardless if it infected a mobile device or a smart TV.”

To protect against an FLocker infection, Android users should be careful about what sites they visit while browsing online. They should also exercise caution around suspicious links, and – where possible – they should install a security solution on each of their Android smart devices.

David Bisson David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 Replies to “Yes, even smart TVs can be hit by Android ransomware”

  1. so just set your location for the smart tv to either of these countries: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, or Belarus and it wont infect. problem solved, you're welcome.
    simple problems have simple solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES