FLocker Mobile Ransomware Crosses to Smart TV

Well, using lots of devices or multiple apps on one platform is very useful and it make people’s life more easier that earlier. However, there is a drawback also. If malware infects any one of those devices, the said threat eventually end up affecting others too. It reminds me of a case when we got familiar with a Android mobile lock-screen ransomware, called as “Flocker” that is capable to lock Smart TVs as well.


FLocker first came out in May 2015 (“earlier it was detected as ANDROIDOS_FLOCKER.A and short for “Frantic Locker”), in our sample bank, we have collected over 7,000 variants. Its creators continued rewriting malware to prevent detection and also to improve its malicious routine. In the number of iterations released, we have found spikes and drop in over past few months. In mid-April, the latest spike came and with more 1,200 variants.

Police Trojan is the latest variant of FLocker, that claims to be US Cyber Police or other law enforcement agency. It blames people to participation in online crime which they actually didn’t commit. Then after, it demands for the 200 USD which is worth of iTunes gift cards. Based on our research and analysis, there are two major differences between variants of FLocker, out of one affect mobile device and another one infect Smart TVs. Below analysis of FLocker’s routines are given :

In order to deflect static analysis, inside the “assets” folder, in raw data file FLocker hides its code. The created files is named as “form.html” and it generally looks like a normal file like others.


By doing such task, “classes.dex” code becomes too simple and no harmful or malicious activities could be found there. Thus, from static code analysis, the malware get the chance to escape. When it runs into PC, it decrypt “form.html” and then after executes the malicious code.


When launched into device for the very first time, FLocker checks out whether the device is located in following given Eastern European countries : Azerbaijan, Bulgaria, Ukraine, Russia, Georgia, Belarus, Kazakhstan, Hungary and Armenia. If the device is located in one among these places, it gets deactivated by itself.

If FLocker reaches target which is compatible, after infecting the unit, it waits for another 30 minutes before it continues running its routine. After a very short waiting period, it initiates background services which later requests for the privileges of the device admin immediately. We take it as a trick to easily bypass dynamic sandbox. If user denies for this request, then it automatically freeze the screen and displays a fake system update.

In the background, FLocker runs and gets itself connected with the Command & Control (C&C). Then, with the JavaScript (JS) enabled, it delivers new payload misspelled .apk and also the “ransom” HTML file. The HTML page capability to initiate APK installation, take pictures of the infected users who are using JS interface and then after show the pictures which were taken in the ransom page.

The ransom web page completely fits the screen, regardless, if it affected a Smart TV or a mobile device.

During the period when screen is locked, the C&C collects all the data like phone number, real time location, device information, contacts and other valuable informations. These data are then gets encrypted with hardcoded AES key and then after encoded in base64.

Ransomware generally comes in contact with people via malicious links or spam SMS or emails. This is why, we should be more alert while browsing Internet or when received any emails or messages from unknown sources.