Yes, even smart TVs can be hit by Android ransomware

Make sure you protect each and every smart device.

Yes, even smart TVs can be hit by Android ransomware

Researchers are actively tracking a ransomware family whose variants can infect all Android devices, including smart TVs.

Security analysts at Trend Micro explain they've come across 7,000 variants of the ransomware, dubbed "FLocker," since it first appeared in May 2015.

The most recent variant is a bit peculiar, however, as a blog post published by the researchers explains:

"The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards. Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs."

Flocker

FLocker's ransom screen

Interesting... those in the security community are well aware of another form of Android ransomware variant that goes by the name of Cyber.Police. Like FLocker, this ransomware also demands $200 worth of iTunes gift cards.

The Cyber.Police ransomware screen even bears a similar (and in some cases exact) design to that used by FLocker:

Cyber police

Cyber.Police's ransom screen

Coincidence? Perhaps the same actors behind Cyber.Police developed FLocker? Or maybe those responsible for FLocker designed its ransomware screen after purchasing Cyber.Police's code on the dark web?

Regardless of its relationship to Cyber.Police, FLocker hides away its code in the raw data files - specifically, in a file called form.html stored inside the assets folder. That little technique helps the ransomware avoid static code analysis.

Once the malware runs, it decrypts the form.html file and executes the malicious code.

Before FLocker proceeds any further, it first checks to see if the computer is running in any of the following countries: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, and Belarus. If it finds a match, it terminates. If not, it runs its routine after 30 minutes and starts a background service that requests device admin privileges.

Flocker bypass

Ultimately, the ransomware connects to a C&C server, delivers a new payload, and loads up the ransom screen asking victims to pay $200 in iTunes gift cards.

The researchers note an infection will likely succeed as long as it takes place on an Android device:

"The ransom webpage fits the screen, regardless if it infected a mobile device or a smart TV."

To protect against an FLocker infection, Android users should be careful about what sites they visit while browsing online. They should also exercise caution around suspicious links, and - where possible - they should install a security solution on each of their Android smart devices.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

2 Responses

  1. Elliot Alderson

    June 14, 2016 at 10:54 pm #

    so just set your location for the smart tv to either of these countries: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, or Belarus and it wont infect. problem solved, you're welcome.
    simple problems have simple solutions.

  2. Michael Ponzani

    June 15, 2016 at 1:18 pm #

    Why won't it infect TVs from those countries?

Leave a Reply