The threat called FLocker (short for “Frantic Locker”) has been on the scene for a year already, and its creators are trying hard to keep it alive. Usually, Flocker is delivered to users via spam SMS or malicious links.
“The latest variant of FLocker is a police Trojan that pretends to be US Cyber Police or another law enforcement agency, and it accuses potential victims of crimes they didn’t commit. It then demands 200 USD worth of iTunes gift cards,” the security experts said. “Based on our analysis, there is also no major difference between a FLocker variant that can infect a mobile device and one that affects smart TVs.”
FLocker is very good at hiding itself, and it is able to fool static code analysis, and to bypass dynamic sandbox protection.
After infecting a device, the threat waits 30 minutes before running and then it contacts its C&C. The C&C delivers a new APK file and the ransom note, a HTML file with a JavaScript (JS) interface enabled, which initiates the APK installation, takes photos of the affected user, and displays the photos taken in the ransom page.
The security experts claim that FLocker avoids targeting users located in Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia and Belarus, but the threat goes after all others.
The victims of FLocker receive a localized ransom message which spots their IP address and photo, and this could be more than enough for the victims to start panicking and pay the fine. Nevertheless, the fact that it is paid by buying an iTunes Gift Card and typing in the card code might return users to their senses – who ever saw any “cyber police” requiring iTunes gift cards in lieu of a cash fine?
“If an Android TV gets infected, we suggest user to contact the device vendor for solution at first,” the experts said. “Another way of removing the malware is possible if the user can enable ADB debugging. Users can connect their device with a PC and launch the ADB shell and execute the command ‘PM clear %pkg%’. This kills the ransomware process and unlocks the screen. Users can then deactivate the device admin privilege granted to the application and uninstall the app.”
