How Android ransomware bricked my TV

Consumers are introducing more smart devices into their lives, beyond smartphones, such as watches, televisions, and on-board computers found in automobiles. In 2013, a Chinese vehicle manufacturer designed a “smart car” with a built-in Android OS computer, allowing consumers the ability to insert their own SIM card and the car could be online around the clock!

We have Google to thank for making our lives easier and for the increased demand and use of smart devices – not only is it a “win-win” for Google and smart device manufacturers, but also, and very importantly, for consumers. Due to the open design of Android, and the breadth of Android SDK, there has been a steady increase in the manufacturing and development of Android smart devices. This is especially true of Android software engineers, as Android allows for customization of the system image and allows for fresh application ideas.

There is a downside to the ease of customization – not every coder has good intentions. This is evident by an observation of the Showbox Android security landscape; malware has increased since 2010 for Android OS to the tune of hundreds of thousands of malware samples identified annually. Most of the malware targets smartphones, but just yesterday, as I was attempting to install a game to my IPTV set showbox, I was hit by an Android trojan also known as “ransomware”.

After I installed and ran the “game”, my screen looked like this:


Android ransomware screen

There was no response from my remote control, except for the “home” button, but even after I switched to “home”, it went back to the warning screen a few seconds later. There wasn’t even enough time to go to application manager to uninstall the “game”!

After I contacted a friend that understood Russian, it was determined that this was a form of ransomware. This is a Russian to English translation of the text displayed by the ransomware:


Russian to English translation of the ransomware message


The variant was initially coded to attack smartphones however when installed on an Android IPTV set box, it turns them into boat anchors.


My IPTV set top model


The effect on the TV set box is actually worse than on a smartphone, as there is only a USB OTG interface to mount extra storage. You cannot use this to run an “adb” command to uninstall the package via a command line – there wasn’t even a factory restore button on the body of the box, and to top it off, my free support service was expired. Sigh.

In China, IPTV sets are a big market however there are few security products if any to protect them. Besides set boxes, the above story could happen to the other smart devices as well, such as a smart watch for example. Not only do consumers use these devices to tell time, but also to track very sensitive personal information such as logs that indicate when and where you do go hiking or running, your heart rate, etc. It is conceivable that smart watches could be an attack vector in the future as well.

Using our imagination, there is seemingly no end to the number of smart devices for movies, such as furniture or appliances – even air conditioners:

Internet auto-fill search for smart air conditioners
Internet auto-fill search for smart air conditioners

Chinese appliance manufacturer Gree recently announced that they also have plans to produce smart air conditions. As smart devices are getting more involved with our personal lives, we need to be “smart” as well, and be alert to possible threats.

Influenced and inspired by industry visionaries and through research such as Vincent Weafer’s blog regarding ransomware at large (“Franchising Ransomware“), 0XID conducted ransomware research from another angle to understand its impact on Internet of Things. According to VirusTotal, an online-based file scanning service, there is an upward trend for ransomware samples affecting IoT:

IOT Ransomware Sample Trending

The following table is a listing of the top prevalent samples for ransomware affecting IoT:

IoT Ransomware Prevalence Table
sha256 Last Submitted
4c15bad3486dc4aa0553ad267812aff29b1a4951abcc6ec91ef7c1feed78e7b2 6/30/2015 6:34
445c345e0dd2492084c1a31b0ea889ea85fd49a14498b8d2cd4586b1fcf63ff8 6/15/2015 9:01
ee02d277152183f6b4df1b846945c2c4d8ce6f15d5eadedbd6bd89542e48ed58 5/6/2015 13:31
becac757bcb69df6240b7a05232f70739a560559a8f2371077bdb87b03697523 5/6/2015 13:32
515c098c338ff87c415608699a578668db662d68c3ec487829b18edf6c8a6b4f 6/19/2015 19:31
0144d7b725ab78d93fa1ca59276efd349eb1ef890a6b1e5c37ffb8e2190a024e 6/26/2015 10:50
3350ffb637ae6d7900e45e83c5057d23d413651d9a2962fc49df0bdf38a45670 6/26/2015 9:56
9c173d447d75cbb74e6da858a63d11e1b164581b754225abd08db09a139bf78c 6/26/2015 10:27
11d49280f3a7f1aec4600cdf6e503952e18fe827d5f86e719ce5be747de74cda 6/18/2015 5:25
1ffe2f4c0bed565b6e4c7823dc63f209924b63283cb5e7bc597e2be96b5ea650 6/26/2015 8:56


Lastly, this is the sha256 hash for the ransomware described in this blog post:



NewSky Security Research Team