Ransomware targets Android smart TVs

If you own a Sharp and Philips smart TV running the Android TV OS, you should know that it could be hit by FLocker, a device-locking ransomware that targets both Android-powered mobile devices and smart TVs.

FLocker locks Android smart TVs

FLocker (short for “Frantic Locker”) has been around for a year, and its developer(s) are doing their best to keep the threat current. It’s usually delivered to victims via spam SMS or malicious links.

“The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards,” the researchers shared. “Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs.”

The malware is good at hiding itself, is able to fool static code analysis, and to bypass dynamic sandbox protection.

After infecting a device, it waits 30 minutes before running, then contacts its C&C. The C&C delivers a new APK file and the ransom note – a HTML file with a JavaScript (JS) interface enabled – which initiates the APK installation, takes photos of the affected user, and displays the photos taken in the ransom page.

According to the researchers, FLocker avoids targeting users located in Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia and Belarus, but goes after all others.

Those who are hit receive a localized ransom message that sports their IP address and photo, and this could be more than enough for the victims to start panicking and pay the fine.

Although, the fact that it is paid by buying an iTunes Gift Card and typing in the card code might return users to their senses – who ever saw any “cyber police” requiring iTunes gift cards in lieu of a cash fine?

“If an Android TV gets infected, we suggest user to contact the device vendor for solution at first,” the researchers advised.

“Another way of removing the malware is possible if the user can enable ADB debugging. Users can connect their device with a PC and launch the ADB shell and execute the command ‘PM clear %pkg%’. This kills the ransomware process and unlocks the screen. Users can then deactivate the device admin privilege granted to the application and uninstall the app.”