January 11, 2016

Smart TVs that use the Android OS can use apps to watch streaming TV channels. But according to Trend Micro, some of these apps contain a backdoor that abuses an old flaw in Android versions before Lollipop 5.0 (basically anything between Cupcake 1.5 and Kitkat 4.4W.2).

Trend Micro has provided a list of URLs that are distributing the malware apps under the name “H.TV”.

Here’s how the attack works [from the Trend Micro blog]:

First, the attackers lure owners of smart TVs to the websites mentioned above and get them to install the apps infected with malware. Once these are installed, the attacker will trigger the vulnerability in the system. Well-known exploit techniques like heap sprays or return-oriented programming are used to gain elevated privileges in the system.

With elevated permissions, the attacker will then silently install others apps or malware onto the system. Our analysis revealed that they remotely update apps or remotely push related apps to the television sets.

However, note that these remotely installed apps are only downloaded via HTTP and not HTTPS. As a result, a second attacker capable of carrying out man-in-the-middle attacks could change the downloaded apps, in effect overriding the payload of the first attacker.

Trend Micro says the risk to smart TV users is significant, as most smart TVs today use older versions of Android that still contain the flaw being exploited. Changhong, Konka, Mi, Philips, Panasonic, and Sharp are among the brand names listed selling TVs with pre-Lollipop Android.

Trend Micro adds that any device running pre-Lollipop Android has the same flaw, although the apps in question are typically mainly used with smart TVs or smart TV boxes.

The obvious solution is to upgrade your Android OS, but this isn't easy to do with smart TV sets because of hardware limitations. Trend Micro recommends installing protection solutions – and, of course, don't install apps from third-party sites.