Jack

Level 85
Verified
Staff member
A piece of Android-based mobile ransomware has made the jump and is now capable of infecting and locking smart TVs running on the Android OS, security researchers are reporting.

Called FLocker (Frantic Locker), this ransomware appeared in May 2015, and Trend Micro says it detected over 7,000 different versions as its code kept evolving.

Only in April 2016, Trend Micro says it identified over 1,200 FLocker variants, as there was a visible development push behind this threat.

Trend Micro has not confirmed this, but the ransom screen seems to be identical to the ones used by the Cyber.Police (Dogspectus) ransomware. Back in April, around the same time of the spike in FLocker development, Blue Coat and Zimperium reported that Cyber.Police gained the ability to infect Android devices without any user interaction.

FLocker lies in hiding for 30 minutes

For this most recent evolution in FLocker's capabilities, Trend Micro explains that crooks are spreading the threat via SMS spam that contains malicious links.

Once users download the malicious apps spread through these links, the malware lies in hiding for 30 minutes. To avoid antivirus analysis, the malicious code is hidden in an HTML file inside the raw data "Assets" folder. This file conceals a DEX file with malicious routines.

After the 30-minute timer runs out, Flocker starts pestering the user to give it admin rights. If the user declines, FLocker freezes the screen with a fake system update message to scare them into giving it the required access.

After FLocker gains administrator privileges, it will start talking with its C&C server, from where it downloads another APK and the ransom note in the form of an HTML&JS file.

FLocker only recently gained the ability to target smart TVs
FLocker shows the ransom note on the entire screen and starts the second APK, which encrypts files with a hardcoded AES encryption key.


flocker-android-ransomware-now-infects-smart-tvs-505181-2.jpg


While previously FLocker worked only on mobile devices, recent versions have started encrypting data on smart TVs running on the Android OS as well.

The Android OS versions running on mobile devices and smart TVs are different, so not necessarily all Android malware will run on both. It's obvious that crooks added this behavior intentionally.

Read more: FLocker Android Ransomware Now Infects Smart TVs