Smart TVs are becoming an increasingly popular commodity within the Internet of Things (IoT) product playground. However, the fact that these TVs have capabilities far beyond those of a passive display device means that they also bring their own risks.
This is according to a recent blog published by Trend Micro in which security experts highlighted a new risk associated to smart TVs.
The apps on smart TVs that allow users to watch channels from around the globe are beneficial to many users, however, these apps also put users at risk according to Trend Micro. The researchers at the IT security giant have stated that these apps contain a backdoor that abuses an old flaw (CVE-2014-7911) in Android versions before Lollipop 5.0 (Cupcake 1.5 to Kitkat 4.4W.2).
The majority of today’s smart TVs use older versions of Android which still contain this flaw. According to Trend Micro, other Android devices with older versions installed are also at risk but these kind of apps are mainly used in smart TVs or smart TV boxes. The Trend Micro blog post published around these threats lists the URLs of the sites that distribute these malicious apps. Most visitors to these sites are located in the United States and Canada.
How is this attack distributed?
Attackers lure the owners of smart TVs to the websites mentioned above and get them to install the apps infected with malware. Once the apps are installed the attacker will trigger the vulnerability in the system. The attackers then use exploit techniques to gain elevated privileges in the system, through which they can silently install other apps or malware onto the system. Trend Micro’s analysis revealed that attackers will remotely update apps or remotely push related apps to the television sets.
How to protect Smart TVs
Trend Micro Mobile Security can detect this threat. Upgrading smart TVs may be challenging for owners because they are limited by the hardware, which is why Trend Micro recommends getting protection solutions installed instead and avoiding the installation of apps from third-party sites.