A new form of ransomware that can attack Android-powered smart televisions has been discovered by security researchers at Trend Micro, Inc.

Dubbed FLocker (short for the Frantic Locker), the malware has been in circulation since at least April 2015 and has previously concentrated on locking down smartphones running the latest builds of Android. However, a newer version of the code now sees it target Smart TVs as well.

The malware can be spread in several ways, including via infected sites and even through SMS messages; it waits 30 minutes after infecting a device before it acts, starting a background service which requests device admin privileges.

If a user denies access to admin privileges, the malware will freeze the screen and fake system updating.

Upon gaining admin access, the malware contacts a command and control center and delivers a new payload that includes the ability to initiate further installations, take photos of the affected user, and to use those photographs as part of an extortion attempt.

Shortly thereafter users receive a “police trojan” message pretending to represent the “US Cyber Police,” that accuses the victim of false crimes and then demands $200 in iTunes gift cards to have the Smart TV or mobile device unlocked.

To make matters worse, an infection on one device means that all devices running Android on the same network may also become infected as well.

“Using multiple devices that run on one platform makes life easier for a lot of people. However, if a malware affects one of these devices, the said malware may eventually affect the others, too,” Trend Micro’s Echo Duan explained in a blog post.

Interestingly, the ransomware does not target everyone. If a device is determined to be located in the East European countries of Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia or Belarus, FLocker deactivates itself.

Solution

Unfortunately, there’s no easy solution to fix an infected device.

Trend Micro recommends that if an Android TV gets infected, the user should contact the device vendor for a solution.

Alternatively, the malware can be removed through enabling ADB debugging, connecting to the device using a PC, launching an ADB shell and then executing the comment “PM clear %pkg%”. This kills the ransomware process and unlocks the screen. Once fixed, users are advised to then deactivate ADB debugging.

Naturally, users are encouraging to practice safe internet and make sure they have mobile security software installed on all their Android devices.

photo credit: Freedom is for the free via photopin (license)