Security researchers have discovered a variant of the FLocker Android ransomware that not only infects mobile devices, but also can infect smart TVs running certain versions of the operating system.
The FLocker ransomware has been active for more than a year now, and it is many ways a typical piece of mobile ransomware. It is designed to scare victims into paying a ransom–$200 in this case–by locking the infected device and throwing up a screen that accuses the victim of some fictitious crime. The ransomware doesn’t appear to encrypt files on an infected device, but it locks the screen so the user can’t open any other apps or take any other actions until paying the ransom.
Researchers at Trend Micro said they have seen various versions of FLocker over the last year and the activity level of the ransomware has varied. The newest version of the malware, however, includes the ability to infect art TVs, many of which run Android.
“The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards. Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs,” Echo Duan of Trend Micro said in a post analyzing the ransomware.
Once it’s installed on an infected device, FLocker has the ability to avoid static analysis tools and will request admin privileges as soon as it’s executed. If the user denies the privilege escalation request, FLocker will freeze the device screen. Once it gets the admin rights, the ransomware will connect to a command-and-control server and wait for instructions.
“The C&C then delivers a new payload misspelled.apk and the “ransom” HTML file with a JavaScript (JS) interface enabled. This HTML page has the ability to initiate the APK installation,take photos of the affected user using the JS interface, and display the photos taken in the ransom page,” Duan said.
“While the screen is locked, the C&C server collects data such as device information, phone number, contacts, real time location, and other information.”
Ransomware has been wreaking havoc on PCs for several years and recently attackers have begun targeting mobile devices as well, knowing that users rely on their phones for most of their daily activities. But the move to other connected devices such as smart TVs is a new, if inevitable, shift in tactics. Connected devices have small, but often powerful, embedded computers and most of them have no security defenses and are rarely, if ever, updated. That can make them prime targets for this kind of ransomware.