no-image

In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs:

My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.
It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.

The Reddit post included this image:
SmartReddit

We immediately got to work trying to figure out if this threat was targeting connected televisions specifically or whether this was an accidental infection. Trying to connect to the webpage mentioned in the URL from the photo does not work — the domain name does not resolve to an IP at the moment.

We used our favorite search engine and found many hits while looking for the domain. Besides the host “ciet8jk” (ciet8jk.[maliciousdomain].com), 27 other hosts have been assigned to that domain name and pointed to same IP address.

The domain ***-browser-alert-error.com was registered on August 17th 2015.

One day later, an IP address was assigned:
SmartIPXYZBroAle-Blur

It appears that there were just a few days when this scam was online and thus, we’re sure the image from the TV is at least four months old.

These kind of attacks are nothing new, so we started looking for a server which is currently online to see what exactly the page tries to do.

Unfortunately, we weren’t able to find a live page from that very source, but while searching for the alert message shown in the photo, we found similar domains used for the same scam.

A few examples:

***sweeps-ipadair-winner2.com
SmartIPMyFavSwe-Blur

***-browser-infection-call-now.com
SmartIPMalBroInf-Blur

The last domain listed is still online but there is no reply from the server.
All the domain names mentioned have been blocked by Kaspersky Web Protection for several months.

Interestingly, all the IPs belong to Amazon’s cloud (54.148.x.x, 52.24.x.x, 54.186.x.x).

Although they used different providers to register the domain, they decided to host the malicious pages in the cloud. This could be because if offers another layer of anonymization, because it’s cheaper than other providers or because they were unsure about the traffic and needed something scaleable.

Still unable to find a live page, we kept searching for parts of the alert message and one hit took us to HexDecoder from ddecode.com. This is a webpage that de-obfuscates scripts or entire web pages. To our surprise, all previous decodings were saved and are publically viewable.

This led to a decoded script and the original HTML file.
SmartDDecode

The script checks the URL parameters and displays different phone numbers based on the location of the user.

Phone numbers:

DEFAULT (US)          : 888581****
France                         : +3397518****
Australia                      : +6173106****
UK                               : +44113320****
New Zealand               : +646880****
South Africa                : +2787550****

The JavaScript selecting the phone number was uploaded to Pastebin on July 29th  2015  and it includes all the comments that were also present in the sample we got from HexDecoder. This is another indicator that this is not a new threat.

Now having the right sample, we took a look on a test machine and got this result, which is quite close to what we can see on the image from the SmartTV:
SmartScam

The page loads in any browser and displays a popup dialog. As you can see above, it even works on Windows XP. If you try to close the dialog or the window, it will pop up again.
SmartTVMallWare

We also ran the file on a Samsung Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings.

Keep in mind that you should never call those numbers! You might get charged per minute or someone at the end of the line might instruct you to download and install even more malware onto your device.

So in this case, it’s not a new type of malware specifically targeting Smart TVs, but a common threat to all internet users. There are also reports that this scam has hit users on Apple MacBooks; and since it runs in the browser, it can run on Smart TVs and even on smartphones.

These kinds of threats often get combined with exploits and may take advantage of vulnerabilities in the browser, Flash Player or Java. If successful, they may install additional malware on the machine or change DNS settings.

Such behaviour could not be observed in this case, since they malicious pages have been removed already.
Keep in mind, there might be vulnerabilities in the software on your TV! Therefore it’s important to check if your device is up to date. Make sure you installed the latest updates for your Smart TV! Some vendors apply updates automatically, while others leave it to the user to trigger the update manually.

There is malware that works on Smart TV, but it’s not really “in the wild” at the moment. There are several reasons why criminals focus on PC and smartphone users instead of Smart TVs:

  • Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices
  • Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS.
  • Hardware and OS may even change from series to series, causing malware to be incompatible.
  • There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices.

 

But remember, for example, that it’s possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone might even work on your TV.

In a nutshell, this case isn’t malware specifically targeting Smart TVs, but be aware that such websites, as with phishing generally, work on any OS platform you’re using.
Keep your eyes open!

 

Source: Secure List