Your Smart TV Could Be Targeted by Ransomware

A relatively new malware called FLocker or Frantic Locker, has been discovered by cybersecurity researchers at Trend Micro, targeting android devices that includes smart TVs.

The internet of things aims to connect every conceivable home device on a singular, accessible platform and this motivates cybercriminals to come up with novel new ways to administer their malicious wares. Case in point, a version of a ransomware called FLocker, which has the means to target, infect and lock down Smart TVs, until the ransom is paid, in iTunes gift cards.

Over 7,000 variants of the FLocker ransomware have been detected by Trend Micro since its initial discovery in May 2015. In April alone, there were over 1,200 different variants.

The latest among them is a police Trojan that purports to be from US Cyber Police or law enforcement agency. Amazingly, it accuses targeted victims of crimes they did not commit, before demanding 200 USD in iTunes gift cards. This variant, through Trend Micro’s investigations, can infect a mobile device and equally affect Smart TVs, as well.

Curiously, the ransomware initially checks where the compromised device is located, via IP. The following eastern European countries are exempted, resulting in the ransomware deactivating itself.

The no-hit list of countries are:

  • Kazakhstan
  • Azerbaijan
  • Bulgaria
  • Georgia
  • Hungary
  • Ukraine
  • Russia
  • Armenia
  • Belarus

Every other country, makes for a compatible target. Once compromised, the ransomware waits for 30 minutes after infecting the target. Following the waiting period, the ransomware starts a background service that requests admin privileges.

Related read: Smart Refrigerators Leave Gmail Logins Vulnerable to Exploits

“We consider it as a trick to bypass [the] dynamic sandbox,” Trend Micro stated in its blog. “If the user denies this request, it will freeze the screen, faking a system update.”

The analysis further revealed:

FLocker runs in the background and connects to a command and control (C&C). The C&C then delivers a new payload misspelled.apk and the “ransom” HTML file with a JavaScript (JS) interface enabled.  This HTML page has the ability to initiate the APK installation,take photos of the affected user using the JS interface, and display the photos taken in the ransom page.

The ransomware screen, which renders on a mobile device just as easily as it does on a smart TV is as follows:

For users who are unfortunately compromised as a result of the malware, the security firm suggests reaching out to the hardware vendor. Technically adept users can attempt to remove the malware via ADB debugging, by connecting the device with a PC to launch the ADB shell and execute the following command:

“PM clear %pkg%”

The command instantly kills the ransomware process and undoes the lock screen. At this point, users can deactivate the admin privilege granted to the malware before uninstalling the application altogether.

Image credit: Vimeo.