Android-powered smart TVs targeted by malicious apps

The security vendor wrote on Thursday that it found a handful of app websites targeting people in the U.S. and Canada by offering the malicious apps.

The apps are exploiting a flaw in Android that dates to 2014, showing that many smart TVs do not have the latest patches.

"Most smart TVs today use older versions of Android, which still contain this flaw," wrote Ju Zhu, a mobile threats analyst with Trend. "While most mobile Android devices can easily be upgraded to the latest version, upgrading smart TV sets may be more challenging for users because they are limited by the hardware."

The vulnerable Android versions are Cupcake 1.5 through Kitkat 4.4W.2., Zhu wrote.

Security experts say that smart TVs could become attractive to cybercriminals since their operating systems are not updated as rigorously as desktop computers.

Smart TVs are rising in popularity and are essentially large versions of mobile phones. The devices have operating systems and networking capabilities and hardware features such as USB ports, all of which present opportunities for hackers.

The malicious apps exploit the Android vulnerability when a user downloads one. Zhu said TV users are lured to the app sites but didn't describe if there are other tricks involved in getting people to download the apps.

Once a malicious app is installed, it is possible for the attackers to install other apps on the smart TV.

The app websites do not use SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts the connection. It would be possible then for a second attacker to intercept the unencrypted connection and conduct a man-in-the-middle attack "in effect overriding the payload of the first attacker," Zhu wrote.