A total of 6.1 million smart TVs, routers and phones are at risk due to a three-year-old vulnerability which has not been patched by many vendors.
The problem came due to a loophole in the portable SDK for UPnP™ Devices or libupnp that allows a buffer overrun to run arbitrary code on an affected device that can give the attacker ability to take control of the device.
Devices that do not have defenses such as data execution prevention and address space layout randomization are ast risk because of this.
This library is used to implement media playback (DLNA) or NAT traversal (UPnP IGD). Apps on a smartphone can use thtese features to play media files or connect to other devices within a user’s home network.
This is the reason why researchers think China's behind the attack on Australia's BoM and why Chinese criminals target journalists.
Although a patch was issued for the component in December 2012, a global security software company, Trend Micro found 547 apps used an older unpatched version of it. 326 out of them are available on Google Play store, including high-profile apps such as Netflix and Tencent QQMusic.
The vulnerability is also found widely in 3G and 4G cellular USB modems and routers.
The campaign first installs "Pony," then a "cocktail" of malware that harvests credentials before encrypting files.
The concern is growing to look over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products.
Android and iOS developers need to be keep an eye out for security fixes when including 3rd party libraries that use c/c++ and updating apps accordingly.