By now, ransomware attacks are somewhat old news. One would be hard-pressed to find a savvy computer user that isn’t aware of the new trend of cyber criminals locking down files and demanding ransoms in untraceable digital currency.
Trend Micro reported at the beginning of the year that more than 4 million ransomware samples were discovered in 2015, most of which were aimed at laptops and desktops, with a smaller percentage created specifically for smaller mobile devices. Most of these began with a malicious email or link that infected the device and enabled the ransomware to lock users out.
What’s more, Trend Micro noted that this trend wasn’t likely to slow down anytime soon – and would, in fact, become a more prevalent threat in 2016.
Now, news of a new type of ransomware infection proves that these expert analysts weren’t wrong. Echo Duan, Trend Micro Mobile Threat Response Engineer and TrendLabs Security contributor recently reported on FLocker, a mobile ransomware sample that just recently began infecting a new kind of endpoint: smart TVs.
Even televisions aren’t safe
This is the first time a ransomware sample has made the jump from mobile device to smart TV. Now that more and more devices include wireless Bluetooth connectivity as part of the Internet of Things, it’s easier for cyber criminals to launch attacks on never-before-seen platforms.
According to Duan, FLocker is an Android mobile lock-screen ransomware sample that was first observed in mid-2015. At the time, the malware was aimed at Android smartphones. Currently, there are more than 7,000 variants of FLocker, as the malware’s author would subtly change the infection’s code to enable it to fly under the radar and enhance its malicious capabilities.
This newest version targeting smart TVs functions nearly identically to the previous versions. The attack begins with a notification appearing to be from U.S. Cyber Police, or another law enforcement agency. This tactic gives the ransomware more credibility in the hopes of duping victims and inspiring fear to encourage ransom payment.
Where other ransomware samples typically demand a ransom in Bitcoin, FLocker advises attacked users to send $200 in iTunes gift cards in order to have their device unlocked.
“And based on our analysis, there are no major differences between a FLocker variant that can infect a mobile device and one that affects smart TVs,” Duan wrote. “The ransom webpage fits on the screen, regardless if it infects a mobile device or a smart TV.”
How FLocker works
FLocker is known as a police Trojan. After selecting a target, it lies in wait for about 30 minutes before starting its malicious processes. From there, the infection launches the background service that enables it to request device admin privileges in an attempt to bypass the dynamic sandbox. If this doesn’t work and its request is denied, FLocker will freeze the device’s screen, similar to a system update, in order to mask its appearance.
The sample is also able to create a file called “form.html” that appears like any regular file inside the “assets” folder. This enables it to prevent static analysis by the device and prevent detection.
Next, the ransomware connects to a command and control, from which it is able to deliver a payload named misspelled.apk as well as the “ransom” HTML file to enable APK installation and screenshots of the device’s JS interface. These photos are then displayed on the ransom page, locking the screen.
Once infected and effectively locked, FLocker’s C&C collects an array of device details, including any associated phone number, contacts and the real time location of the device. This information is then encrypted, enabling it to be securely sent to the hacker.
One thing that does set FLocker apart from other ransomware samples is the fact that it tracks the device’s location and uses this to make a decision about infection. ExtremeTech noted that if devices are registered and located in certain countries – including Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia or Belarus – the sample will cease its malicious processes. It seems FLocker simply doesn’t work on devices in these regions.
“The first thing it does when reaching a new system is check its location,” ExtremeTech contributor Ryan Whitwam wrote. “If it’s not in one of those countries, it attempts to install a command and control system on the smartphone or TV.”
With any type of ransomware infection, the first step towards prevention is awareness. It’s important that users exercise caution no matter what device they’re using, and not open emails from unknown senders or click on suspicious links.
Trend Micro noted that it also may be possible to remove the malware from an infected Android TV using ADB debugging. After connecting the TV to a PC, the device owner can launch the ADB shell and select the “pm clear %pkg%” command. Here, %pkg% will refer to the infection’s name, ANDROIDOS_FLOCKER.A. The ADB debugging will effectively kill the infection, stop the ransomware process and unlock the screen. Then, the user can deactivate admin privileges for the program and uninstall the app.
However, if an infection occurs, the best option may be to contact the device vendor before attempting ADB debugging. This will help ensure that the most effective steps are taken to remove the malware and return the device to working order.
Ransomware is continuing to spread to a range of smart devices. Ensuring awareness and protection is paramount.