Researchers are actively tracking a ransomware family whose variants can infect all Android devices, including smart TVs.
Security analysts at Trend Micro explain they’ve come across 7,000 variants of the ransomware, dubbed “FLocker,” since it first appeared in May 2015.
The most recent variant is a bit peculiar, however, as a blog post published by the researchers explains:
“The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards. Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs.”
Interesting… those in the security community are well aware of another form of Android ransomware variant that goes by the name of Cyber.Police. Like FLocker, this ransomware also demands $200 worth of iTunes gift cards.
The Cyber.Police ransomware screen even bears a similar (and in some cases exact) design to that used by FLocker:
Coincidence? Perhaps the same actors behind Cyber.Police developed FLocker? Or maybe those responsible for FLocker designed its ransomware screen after purchasing Cyber.Police’s code on the dark web?
Regardless of its relationship to Cyber.Police, FLocker hides away its code in the raw data files – specifically, in a file called form.html stored inside the assets folder. That little technique helps the ransomware avoid static code analysis.
Once the malware runs, it decrypts the form.html file and executes the malicious code.
Before FLocker proceeds any further, it first checks to see if the computer is running in any of the following countries: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, and Belarus. If it finds a match, it terminates. If not, it runs its routine after 30 minutes and starts a background service that requests device admin privileges.
Ultimately, the ransomware connects to a C&C server, delivers a new payload, and loads up the ransom screen asking victims to pay $200 in iTunes gift cards.
The researchers note an infection will likely succeed as long as it takes place on an Android device:
“The ransom webpage fits the screen, regardless if it infected a mobile device or a smart TV.”
To protect against an FLocker infection, Android users should be careful about what sites they visit while browsing online. They should also exercise caution around suspicious links, and – where possible – they should install a security solution on each of their Android smart devices.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.