Watch out, FLocker Ransomware targets Android smart TVs

The day has come, Sharp and Philips smart TV running the Android TV OS could be infected by a ransomware dubbed FLocker ransomware.

When a journalist asked me which is a possible evolution of ransomware I had no doubt, the Internet of Things. I was thinking of ransomware that infects medical devices and Smart objects in our homes.

The day has come, Sharp and Philips smart TV running the Android TV OS could be infected by a ransomware dubbed FLocker (short for “Frantic Locker”). FLocker, aka ANDROIDOS_FLOCKER.A, is a ransomware specifically designed to target Android mobile devices and smart TVs.

FLocker isn’t a new threat, it has been around for a year and crooks delivered it to the victims via spam SMS campaigns or sharing malicious links.

The FLocker ransomware was first spotted on May 2015, security experts from Trend Micro detected more than 7,000 strains of the same malware. The threat actors behind the FLocker ransomware has updated over the time the threat improving it and making had its detection by security solutions. Over the past few months, the experts observed a number of spikes and drops in the number of iterations released in the wild, in the last wave of infection observed in the mid-April the researchers detected over 1,200 variants.

“The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards,” states the analysis published by TrendMicro. “Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs.”

The last interaction discovered by the experts pretends to be an enforcement agency and threatens the victims of crimes they didn’t commit. It locks the device by demanding a 200 USD-ransomware worth of iTunes gift cards, it’s ridiculous a cyber police that requires iTunes gift cards instead cash.

Once infected a device, the malware checks the user’s country to avoid infecting machines of Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, and Belarus.

The FLocker ransomware remains inactive for 30 minutes before running then it launched the background service which requests device admin privileges immediately. If the user doesn’t grant the admin privileges the FLocker ransomware will freeze the screen simulating a system updating.

At this point, the threat contacts C&C that in turn delivers a new APK file and the ransom note which starts the APK installation, takes photos of the infected device and displays the photos taken inside the ransom page. The note is written in the language used in the country of the infected device.

Trend Micro suggests victims to contact device vendors in case of infection, a second option is to enable ADB debugging and operate via the ADB shell in order to sanitize the device and kill the ransomware.

“If an Android TV gets infected, we suggest user to contact the device vendor for solution at first,” reads the analysis.

“Another way of removing the malware is possible if the user can enable ADB debugging. Users can connect their device with a PC and launch the ADB shell and execute the command ‘PM clear %pkg%’. This kills the ransomware process and unlocks the screen. Users can then deactivate the device admin privilege granted to the application and uninstall the app.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – FLocker ransomware, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.