Scribd Logo
Upload

Welcome to Scribd!

  • 25 views

    Flocker Mobile Ransomware Crosses To Smart TV: Home Categories

    Uploaded by

    jocky1972
    hello

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Flocker Mobile Ransomware Crosses To Smart TV: Home Categories

    Uploaded by

    jocky1972
    25 views5 pages
    hello

    Original Title

    b900d5b5-a7bb-4cc9-b171-d8da81e87803

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    hello

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    25 views5 pages

    Flocker Mobile Ransomware Crosses To Smart TV: Home Categories

    Uploaded by

    jocky1972
    hello

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    Trend Micro

    About TrendLabs Security Intelligence Blog

    Search:

    Home

    Categories

    Home Internet of Things FLocker Mobile Ransomware Crosses to Smart TV

    Featured Stories

    FLocker Mobile Ransomware Crosses to Smart TV

    FLocker Mobile Ransomware Crosses to Smart TV

    Posted on: June 13, 2016 at 3:15 am

    JIGSAW Crypto-Ransomware Turns CustomerCentric, Uses Chat for Ransom Attempts

    Posted in: Internet of Things, Mobile, Ransomware

    Author: Echo Duan (Mobile Threat Response Engineer)

    Using multiple devices that run on one platform makes life

    FastPOS: Quick and Easy Credit Card Theft

    easier for a lot of people. However, if a malware affects one of


    these devices, the said malware may eventually affect the

    IXESHE Derivative IHEATE Targets Users in


    America

    others, too. This appears to be the case when we came across


    an Android mobile lock-screen ransomware, known as

    Company CFOs Targeted The Most By BEC


    Schemes

    FLocker, that is capable of locking smart TVs as well.

    Business Email Compromise

    How can a sophisticated email scam


    cause more than $2.3 billion in damages
    to businesses around the world?
    See the numbers behind BEC

    Latest Ransomware Posts


    Why Ransomware Works: Tactics and Routines
    Beyond Encryption
    FLOCKER MOBILE RANSOMWARE CROSSES TO
    SMART TV

    Figure 1. TV ransomware screen


    Ever since FLocker (detected as ANDROIDOS_FLOCKER.A and short for Frantic Locker) first
    came out in May 2015, we have gathered over 7,000 variants in our sample bank. Its author kept
    rewriting the malware to avoid detection and improve its routine. Over the past few months, we
    have seen spikes and drops in the number of iterations released. The latest spike came in midApril with over 1,200 variants.

    JIGSAW Crypto-Ransomware Turns CustomerCentric, Uses Chat for Ransom Attempts


    Ransomware Leaves Server Credentials in its
    Code
    ZCRYPT Crypto-ransomware Attacks Windows 7
    and Later, Scraps Backward Compatibility

    The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law

    Recent Posts

    enforcement agency. It accuses potential victims of crimes they didnt commit. Then, it demands
    200 USD worth of iTunes gift cards. And based on our analysis, there are no major differences

    Why Ransomware Works: Tactics and Routines


    Beyond Encryption

    between a FLocker variant that can infect a mobile device and one that affects smart TVs. Below
    are our analysis of FLockers routines.

    Unsupported TeamViewer Versions Exploited For


    Backdoors, Keylogging

    To avoid static analysis, FLocker hides its code in raw data files inside the assets folder. The file
    it creates is named form.html and looks like a normal file.

    June Patch Tuesday Contains 16 Bulletins, Five


    Rated Critical
    FLocker Mobile Ransomware Crosses to Smart TV
    JIGSAW Crypto-Ransomware Turns CustomerCentric, Uses Chat for Ransom Attempts

    Ransomware 101

    Figure 2. FLocker avoiding static analysis


    By doing so, the code of classes.dex becomes quite simple and no malicious behavior could be
    found there. Thus the malware has the chance to escape from static code analysis. When the
    malware runs, it decrypts form.html and executes the malicious code.

    This infographic shows how ransomware


    has evolved, how big the problem has
    become, and ways to avoid being a
    ransomware victim.
    Check the infographic

    Popular Posts
    Flashlight App Spews Malicious Ads
    FLocker Mobile Ransomware Crosses to Smart TV
    Unsupported TeamViewer Versions Exploited For
    Backdoors, Keylogging
    Will CryptXXX Replace TeslaCrypt After
    Ransomware Shakeup?
    ZCRYPT Crypto-ransomware Attacks Windows 7
    and Later, Scraps Backward Compatibility

    Latest Tweets
    Error: Rate limit exceeded

    Stay Updated
    Email Subscription
    Your email here
    Subscribe

    Figure 3. Encrypted code classes.dex (top) and decrypted code form.html (bottom)
    When launched for the first time, FLocker checks whether the device is located in the following
    Eastern European counties: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia,
    Armenia and Belarus. If the device detects that it is located in any of these locations, it deactivates
    itself.
    If FLocker reaches a compatible target, it waits for 30 minutes after infecting the unit before it runs
    the routine. After the short waiting period, it starts the background service which requests device
    admin privileges immediately. We consider it as a trick to bypass dynamic sandbox. If the user
    denies this request, it will freeze the screen faking a system update.

    Figure 4. FLocker bypassing certain countries


    FLocker runs in the background and connects to a command and control (C&C). The C&C then
    delivers a new payload misspelled.apk and the ransom HTML file with a JavaScript (JS) interface
    enabled. This HTML page has the ability to initiate the APK installation,take photos of the affected
    user using the JS interface, and display the photos taken in the ransom page.
    The ransom webpage fits the screen, regardless if it infected a mobile device or a smart TV.

    Figure 5. FLocker ransom page capture


    While the screen is locked, the C&C server collects data such as device information, phone
    number, contacts, real time location, and other information. These data are encrypted with a
    hardcoded AES key and encoded in base64.

    Figure 6. Information sent to C&C server


    Ransomware usually reach users via spam SMS or malicious links. This is why users should be
    wary when browsing the internet or when receiving messages or email from unknown sources.
    Solutions
    We suggest user to contact the device vendor for solution first if their Android TV gets infected.
    Another way of removing the malware is possible if the user can enable ADB debugging. Users
    can connect their device with a PC and launch the ADB shell and execute the command PM clear
    %pkg%. This kills the ransomware process and unlocks the screen. Users can then deactivate the
    device admin privilege granted to the application and uninstall the app.
    For securing mobile devices, we advise installing security software in their smart devices to protect
    it from malicious apps and threats. Trend Micro Mobile Security and Trend Micro Mobile Security
    Personal Edition protects users from this ransomware and other related threats. Trend Micro
    Mobile Security Personal Edition is available on Google Play.
    With additional analysis by Veo Zhang and Kenny Ye
    Related hashes:
    EC52052B4DC8C37708F9CD277A1EFAAABC4FE522
    392E8B90431DFE55CA03E04A49FCE1514D61638E
    73CFB54BD6830842553289D351A5C40EC821CE29
    EB4764C55F092006FE68A533D337BDA21CFFCBE7
    57236520EE6FCB12ACB43A5CACE00EBBB7B9E257
    2A8381E2B2FAF165F03CCF8BE2CCB82AE2BC6022
    1E43ED84DD1E3ED18E3C4DAADF163B9E25217E0C
    BB7CF8958F3484AAD73D57A6995E483205367743
    9C21A08BD4E329B5242B130765A420EB0DF6CF91
    768720CCD207B37942477CCA7285CF1DFDF7C0C7
    F926D140680E84C59B0DA62FF08A4ABC42D209D3
    054ACD9B7D569FCC00591CECAA378578019C848F
    130F2311A3D4A9095AB7EDBAE54C4985BB59F384
    1B112B8CE74BA85175628C1139CE77C8F5B867EC
    F230C9AFB23388F45127B09125E2EF34B5470F46
    27D6595EA510D94D0E2EE3A9F9A878EB4B56195A
    43E45499EA26406D8F3B8F661D58411A2D02073F
    D35FD629DD2D02D919F6538C0B3DF896A2A6FC0D
    7C975AB7C7017A298BBE149B7F60303A3066691B
    2EDAAB6EDF0DFE789462BB2985F7E27E73C9DE43
    3E309D1AC8C03DA8E63B5A8F5E82061C5448A2C9
    5B45B906EB5BD2B45000D961541A2330A562A96F
    6B544DF15355ABBEE271E5A426B03EFBE3B245B2
    1A50CA69472ECF5B0CCF8B39FD94665C0E16AB09
    C575D57CF8693EEB04C01110ADF8336BE2048C17

    Related Posts:
    Learning from Bait and Switch Mobile Ransomware
    Android-based Smart TVs Hit By Backdoor Spread Via Malicious App
    German Users Hit By Dirty Mobile Banking Malware Posing As PayPal App
    Chinese-language Ransomware SHUJIN Makes An Appearance

    ENTERPRISE

    SMALL BUSINESS

    CONSUMER

    Tags:

    android

    mobile ransomware

    HOME AND HOME OFFICE

    FOR BUSINESS

    Smart TV

    SECURITY INTELLIGENCE

    Asia Pacific Region (APAC): Australia / New Zealand, , , ,

    ABOUT TREND MICRO

    Latin America Region (LAR): Brasil, Mxico

    North America Region (NABU): United States, Canada

    Europe, Middle East, & Africa Region (EMEA): France, Deutschland / sterreich / Schweiz, Italia, , Espaa, United Kingdom / Ireland

    Privacy Statement

    Legal Policies

    Copyright 2016 Trend Micro Incorporated. All rights reserved.

    You might also like