Incidents

Malware on the Smart TV?

In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs:

My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.
It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.iff

The Reddit post included this image:
SmartReddit

We immediately got to work trying to figure out if this threat was targeting connected televisions specifically or whether this was an accidental infection. Trying to connect to the webpage mentioned in the URL from the photo does not work — the domain name does not resolve to an IP at the moment.

We used our favorite search engine and found many hits while looking for the domain. Besides the host “ciet8jk” (ciet8jk.[maliciousdomain].com), 27 other hosts have been assigned to that domain name and pointed to same IP address.

The domain ***-browser-alert-error.com was registered on August 17th 2015.

Two days later, an IP address was assigned:
SmartIPXYZBroAle-Blur

It appears that there were just a few days when this scam was online and thus, we’re sure the image from the TV is at least four months old.

These kind of attacks are nothing new, so we started looking for a server which is currently online to see what exactly the page tries to do.

Unfortunately, we weren’t able to find a live page from that very source, but while searching for the alert message shown in the photo, we found similar domains used for the same scam.

A few examples:

***sweeps-ipadair-winner2.com
SmartIPMyFavSwe-Blur

***-browser-infection-call-now.com
SmartIPMalBroInf-Blur

The last domain listed is still online but there is no reply from the server.
All the domain names mentioned have been blocked by Kaspersky Web Protection for several months.

Interestingly, all the IPs belong to Amazon’s cloud (54.148.x.x, 52.24.x.x, 54.186.x.x).

Although they used different providers to register the domain, they decided to host the malicious pages in the cloud. This could be because if offers another layer of anonymization, because it’s cheaper than other providers or because they were unsure about the traffic and needed something scaleable.

Still unable to find a live page, we kept searching for parts of the alert message and one hit took us to HexDecoder from ddecode.com. This is a webpage that de-obfuscates scripts or entire web pages. To our surprise, all previous decodings were saved and are publically viewable.

This led to a decoded script and the original HTML file.
SmartDDecode

The script checks the URL parameters and displays different phone numbers based on the location of the user.

Phone numbers:

DEFAULT (US)          : 888581****
France                         : +3397518****
Australia                      : +6173106****
UK                               : +44113320****
New Zealand               : +646880****
South Africa                : +2787550****

The JavaScript selecting the phone number was uploaded to Pastebin on July 29th 2015 and it includes all the comments that were also present in the sample we got from HexDecoder. This is another indicator that this is not a new threat.

Now having the right sample, we took a look on a test machine and got this result, which is quite close to what we can see on the image from the SmartTV:
SmartScam

The page loads in any browser and displays a popup dialog. As you can see above, it even works on Windows XP. If you try to close the dialog or the window, it will pop up again.
SmartTVMallWare

We also ran the file on a LG Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings.

Keep in mind that you should never call those numbers! You might get charged per minute or someone at the end of the line might instruct you to download and install even more malware onto your device.

So in this case, it’s not a new type of malware specifically targeting Smart TVs, but a common threat to all internet users. There are also reports that this scam has hit users on Apple MacBooks; and since it runs in the browser, it can run on Smart TVs and even on smartphones.

These kinds of threats often get combined with exploits and may take advantage of vulnerabilities in the browser, Flash Player or Java. If successful, they may install additional malware on the machine or change DNS settings of your system or home router which may lead to similar symptoms.

Such behaviour could not be observed in this case, since they malicious pages have been removed already.
Keep in mind, there might be vulnerabilities in the software on your TV! Therefore it’s important to check if your device is up to date. Make sure you installed the latest updates for your Smart TV! Some vendors apply updates automatically, while others leave it to the user to trigger the update manually.

There is malware that works on Smart TV, but it’s not really “in the wild” at the moment. There are several reasons why criminals focus on PC and smartphone users instead of Smart TVs:

  • Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices
  • Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS.
  • Hardware and OS may even change from series to series, causing malware to be incompatible.
  • There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices.

 

But remember, for example, that it’s possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone might even work on your TV.

In a nutshell, this case isn’t malware specifically targeting Smart TVs, but be aware that such websites, as with phishing generally, work on any OS platform you’re using.
Keep your eyes open!

 

Malware on the Smart TV?

Your email address will not be published. Required fields are marked *

 

  1. some joe

    Quite interesting, although I wonder if the lack of modification or exploit of the page shown is because its more a symptom of another exploit…i notice the screenshot shows 3 tabs with this page, makes me wonder if they were infact subject to a dns attack, but with spam being the end goal.

    One SmartTV to watch out for is the older Samsungs, I noticed they stopped updating the firmware years ago (and it runs Java…that combo never lasts) – I leave the ethernet unplugged now!

  2. John

    I have a LG smart tv. I have never seen these options on my screen. But my TV flashes up different things like it is trying to change imputs. I found it strange and my searching led me here.

  3. moeburn

    Hey that’s me! You guys coulda sent me a PM or something, I would have been happy to answer any questions. For example, her TV was not fixed by restarting the browser or TV, and she couldn’t browse to any website without seeing this message. It effectively killed the entire internet browsing capabilities of her TV. Had to call LG to find out how to do a factory reset.

  4. Karthik

    Hi,
    Had the exact same issue, with the exact same dialog. Came up when I visited a site that streams indian movies. ANyhow, contacted support and the solution — Unplug TV, wait 30 seconds, plug it back! Thats it – i have the UN60KU6300FXZASKU (60″ UHD)

    1. fixit

      How to fix ,reset your router , job done…..

  5. Corey Hebert

    My Lg3 Google smart TV has a ransom virus. I have been looking for a fix for 16 months . It’s cyber police ransom demanding I pay with iTunes gift cards

    1. moeburn

      Well either do what the other people said – leave it unplugged for 60 seconds to trigger a firmware reset – or call LG customer support and ask them how to do a factory reset, that’s what I did.

    2. Bo

      That isn’t a virus. That is some kind of applet that you managed to download trying to make you think you have something. As stated, a factory reset will fix it right up.

  6. Bo

    That isn’t malware though. That is an applet the runs that tries to fake you into thinking you have something. Call the number, give them your credit card, they tell you how to get out of the window that won’t otherwise close. It isn’t malware, it is an applet.

  7. Mike

    Hey “Bo” from your post on January 25, 2017.

    GFY. You are a troll.

    People …ignore his post

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox