Trend Micro researchers have found the first major example of ransomware that can attack a Smart TV with hackers using an updated version of FLocker that targets devices running the Android operating system.
Trend Micro researcher Echo Duan wrote in a blog post that this FLocker version, one of more than 7,000 variants that have been tracked by the company since the malware was first spotted in May 2015, has the ability to infect and lock the screen of any device running the Android operating system, including a Smart TV.
“This is the first major instance of ransomware to infect TVs that we've found,” Christopher Budd, global threat communications manager, told in an email. This FLocker operates as a police Trojan and attempts to scare the victim into paying by claiming to be the “US Cyber Police.” Once the malware is downloaded and the TV locked, the hacker accuses the victim of a false crime and demands $200 in iTunes gift cards to have the Smart TV or mobile device unlocked.
In an ironic twist, the very convenience the owners obtain by using multiple devices that run on a common operating system also works for the bad guys. “Using multiple devices that run on one platform makes life easier for a lot of people. However, if a malware affects one of these devices, the said malware may eventually affect the others, too,” Duan wrote.
“As far as how, it's being delivered through standard infection vectors: nothing new or special. The TVs in this case are accidental collateral damage of the ransomware, and not specifically targeted. They just happen to be running an attackable version of Android.” Budd said. Duan said there is little difference between FLocker that attacks mobile devices and the version that goes after Smart TVs.
“To avoid static analysis, FLocker hides its code in raw data files inside the “assets” folder. The file it creates is named “form.html” and looks like a normal file. By doing so, the code of “classes.dex” becomes quite simple and no malicious behavior could be found there. Thus the malware has the chance to escape from static code analysis. When the malware runs, it decrypts “form.html” and executes the malicious code,” he wrote.
FLocker then checks to see if the device being attacked is located in Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia or Belarus. If so it deactivates itself. For those people who do not live in Eastern Europe Duan suggested contacting the manufacturer or if the victim is a bit tech savvy they can possibly handle the task on their own.
“Another way of removing the malware is possible if the user can enable ADB debugging. Users can connect their device with a PC and launch the ADB shell and execute the command “PM clear %pkg%”. This kills the ransomware process and unlocks the screen. Users can then deactivate the device admin privilege granted to the application and uninstall the app,” he said.