Android-based Smart TVs Hit By Backdoor Spread Via Malicious App

Share this…

With the year-end shopping season over, many consumers now have new various smart gadgets in their homes. One particularly popular usage of this so-called Internet of Things (IoT) are smart TVs. These TVs are more than just passive display devices; many of them can even run Android apps as well. Some may find these features useful, but these capabilities bring their own risks. (This was something we noted two years ago when we first looked some of the issues of smart TVs.)

Apps that allow users to watch channels from other parts of the world (that would otherwise be unavailable via other methods) are something that many users would find useful. However, some of these apps may put users at risk. These apps contain a backdoor that abuses an old flaw (CVE-2014-7911) in Android versions before Lollipop 5.0 (Cupcake 1.5 to Kitkat 4.4W.2). (We detect these malicious apps as ANDROIDOS_ROOTSTV.A.)

Most smart TVs today use older versions of Android, which still contain this flaw. TV brands that sell vulnerable smart TVs include Changhong, Konka, Mi, Philips, Panasonic, and Sharp. In addition, other Android devices with older versions installed are also at risk: it just happens to be that  these kinds of apps are mainly used in smart TVs or smart TV boxes.

The sites that distribute these malicious apps are located at the following URLs. These sites are under the H.TV name, with most visitors located in the United States or Canada.

Image below Sites that serve malware to smart TVs
Figure 1 https://pf3a[.]res4f[.]com
https://www[.]htvmarket[.]com
https://mak[.]wak2p[.]com
https://wh[.]waks2[.]com
Figure 2 https://sites[.]google[.]com/site/htvfanshare/2012summer_collection

Figure 1: Screenshot of sites that serve malware to smart TVs

Figure 2: Screenshot of site that serve malware to smart TVs

In addition to the websites above, the malware also uses the following download servers:

Domain Example
meiz.le2ui.com https://meiz[.]le2ui[.]com:80/marketdatas/apk/ChineseVideo2.11.1.apk
yaz.e3wsv.com https://yaz[.]e3wsv[.]com:80/marketdatas/apk/ChineseVideo2.11.1.apk

How the Attack Happens

How is this attack distributed? First, the attackers lure owners of smart TVs to the websites mentioned above and get them to install the apps infected with malware. Once these are installed, the attacker will trigger the vulnerability in the system.  Well-known exploit techniques like heap sprays or return-oriented programming are used to gain elevated privileges in the system.

Figure 3: Malware app triggers the vulnerability

Figure 4: Malware app exploits the system

With elevated permissions, the attacker will then silently install others apps or malware onto the system. Our analysis revealed that they remotely update apps or remotely push related apps to the television sets.

Figure 5: App silently installs other malware

Figure 6: Malware remotely updates apps

However, note that these remotely installed apps are only downloaded via HTTP and not HTTPS. As a result, a second attacker capable of carrying out man-in-the-middle attacks could change the downloaded apps, in effect overriding the payload of the first attacker.

How to Protect Your Smart TVs

Trend Micro™ Mobile Security can detect this threat. While most mobile Android devices can easily be upgraded to the latest version, upgrading smart TV sets may be more challenging for users because they are limited by the hardware. As such, we recommend getting protection solutions installed instead and avoiding the installation of apps from third-party sites.

Check out this infographic to learn more about smart TV sets: Are Smart TVs Ready for Prime Time?

Related hashes are as follows:

  • 019d4326d3340609b3f8326d51e031cafc6bf9a0
  • 01a0b3fbf3e4e840e6aa441353ff29e4c5bf3e10
  • 0637b9116af595e7451dea655a05c32aa89fcbdb
  • 069138865d4a58b3683f1aa687408b40c92fe9cf
  • 0937b9598a58c6fad80c8e41f08e11e6d036d4b4
  • 0c6a075e0cf4e94d57afe085d39423400fa88b7c
  • 2bbcf7511d6953a64f4284f2454dce119bd1063e
  • 2daabbe1d2213594c2a8017401f4fa82e24a2475
  • 396cb2137a6cd6880c96035464712513f44d52b9
  • 3fd7f0b2e8249ff5f08a82f5df003f2713744824
  • 583722e9c6bbbf78d7d4d9689679d22ff6a2c4e9
  • 6357da20ed2661d9b8943275c515c3bd6b9b46c6
  • 8f999a80497bc29f633301f7f96489fe9be4eab5
  • 9434f41147eb7259dcf4f1dd8ed7d1209b1546b8
  • 9ecbff5df641da74910439aefd4ab0596afaff6f
  • a54341b76b88034de6a47bb5904e6c01c53f3cc4
  • bde06adde1d6f4ac3a1865a4314ca45ca807b39c
  • d1af06e54e294dbc106c03650ac8a556c1b1e1e9
  • d1f005e07d5369230d2624de94cfcbdad14cd914
  • d3ab0dd0ac28181e0c531909460dcdd417178d2d
  • dbf3a4d820db3974edc8063d852afa40217a9750
  • fe86ae99ee7b75abf2bce047f4b5f2f1b20d3492
 Source:https://blog.trendmicro.com/