In a new twist on the rising ransomware scourge, the FLocker Android ransomware is now infecting smart TVs.
Ever since FLocker (short for “Frantic Locker”) first came out in May 2015, Trend Micro has gathered more than 7,000 variants in its sample bank. The latest is a police Trojan that pretends to be US Cyber Police or another law enforcement agency. It accuses potential victims of crimes they didn’t commit, then demands $200 worth of iTunes gift cards.
And, it can affect the Android OS that runs many smart TVs, including, “Using multiple devices that run on one platform makes life easier for a lot of people. However, if a malware affects one of these devices, the said malware may eventually affect the others, too,” said Trend Micro researcher Echo Duan, in an analysis.
Interestingly, when launched for the first time, FLocker checks whether the device is located in the following Eastern European counties: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia and Belarus. If it is, it deactivates itself.
"The steady rise and rapid pervasiveness of ransomware has now hit home—literally,” Aaron Higbee, CTO and co-founder of PhishMe, told Infosecurity. “Ransomware capabilities have expanded to infect Android-powered consumer household devices and mandates a change to the way we think about cybersecurity. Malicious software is growing in complexity and is expanding capabilities beyond PCs. And, while automated IT security technology does catch many attacks, the human is the truly last line of defense and must be ready to intercept these attacks once they've passed through layers of technology.”
According to PhishMe's Q1 Malware Analysis Report, 93% of all phishing emails analyzed in March 2016 contained ransomware such as Flocker.
“This attack vector is steadily on the rise and is extending to everyday household items, so it's more important than ever that people are conditioned into recognizing cyberattacks and have a way to report suspect activity,” said Higbee. “This is the only way to truly prevent hackers from completely shutting down critical systems and holding hostage access to everyday necessities, not to mention blocking access to our favorite television shows."
The good news is that remediation isn’t difficult.
“If we’re getting technical, I think the term ‘ransomware’ is improperly used in this case,” said Garlati. Users can always reset the TV to factory defaults and get rid of the problem. There shouldn't be any valuable personal data/files on a TV worth the payment of the ransom. TVs are devices to consume content—more like tablets, not to produce and store it—like PCs.”
Users also can connect their device with a PC and launch the ADB shell and execute the command “PM clear %pkg%”. This kills the ransomware process and unlocks the screen. Users can then deactivate the device admin privilege granted to the application and uninstall the app.
Also, it could be possible to be infected by visiting an infected malicious website on an Android TV or by receiving SMS messages on the device. Consumers can protect themselves by: not accepting apps for installation that are sent by SMS messages; being very wary of accepting apps for installation from web pages and not an app store; and being very wary when apps request for increased access privileges.
“There is not really anything special about this attack; the malware operates in the same way to other malware on Android devices and we have seen a few cases with smart TVs in the past with LG TVs,” said Cesare Garlati, chief security strategist for the prpl Foundation, co-chair of the Mobile Working Group for the Cloud Security Alliance and former VP of mobile security for Trend Micro. “Users need to be careful if they are using multiple devices that run on the Android platform, as it can move more easily from one device to the next.”
Photo © Maxx-Studio