This is not our first time dealing with ransomware, especially Cyber Police. We’ve been in business with this exploit for quite a time. Why so long? Because it’s unique. It evolves. The way it worked today is significantly different than a year ago. Now, it can be used to affect millions of Android devices. It can secretly enter your device, lock and render it useless. All done without you knowing any of it.

Blue Coat Labs first discovered Cyber Police. It wasn’t too long until Zimperium Labs confirmed the report. FYI, it’s the same lab that discovered the StageFright hack.

What is ransomware?

Ransomware is a malicious script. It can lock any computer or device from the user. Once locked, you can’t use it unless you pay the ‘ransom.’

Here comes the tricky part.

If you’re attacked by ransomware, your data is usually safe. But, paying the ransom won’t guarantee anything, including your data. The attacker may still hold your data, even after he got the payment.

Cyber Police Attack

The attack begins with the name. Once active, this ransomware displays itself as an app called Cyber Police. A message similar to the following image will appear on your screen. This malicious app will try to ensure you that your security has been compromised. How? By telling you that somewhere in the past, you accessed illegal websites. These websites are harmful and your system has been affected.

This message claims to be sent by some sort of security agency. And that’s why people fall for it. People just believe on everything without checking it. The sender, “American National Security Agency’ doesn’t even exist.

If you ever received this message, let me tell you this. This fake agency lies about everything. It lies about your current security system. It lies about how to fix it. It even lies about itself. Don’t believe anything, especially the ransom. Paying the ransom won’t fix anything. It has nothing to do with legal action. Or even restoring your device.

In the following example, the attacker asked for 2 Apple iTunes gift card. Sounds simple? Well, you’re wrong. This attack was never related to any legal threat. Therefore, paying it won’t fix anything.

That’s not the only scary part. This Cyber Police is viral. It just takes an ad to infect a system. No need to click it. Once you see it, you’re in serious problem. Also, there is no way we recognize malicious ad.

Andrew Brand, Blue Coat Labs director of threat research, said, “This is the first time, to my knowledge an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim.”

What he said makes sense. An exploit is basically an app. Usually, an app needs user’s permission to enter/change the system. But, in this case, it doesn’t.

So, what really happened deep down there? An expert from Zimperium Labs, Joshua Drake, tried to answer this. He analyzed the sample and found the answer. This malicious app uses a root this. This tool is known as Towelroot and it can take control of any device. It also has one more ‘gift.’ It uses the very same exploit The Hacking Team uses. You should fear this one. This hacker team sells data to literally anyone. And it’s not just any data. It’s surveillance data.

Is Your Device Safe?

This ransomware only attacks Android device. If you’re using iOS, Blackberry, Windows Phone, or other OS, this is your first good news.

And here is the next. If your device is less than a year, you’re probably safe. This ransomware can only attack Android ICS to Kitkat. If your device is still running either this OS or another OS between them, please upgrade it immediately. As of now, there are still 500 million devices running these OS. Certainly, you don’t want to become one of them, do you?

How to Protect Yourself

What if you’ve been hit? Is there something you can do, let’s say, to minimize the damage?

First, if you’re hit, there’s not much to do. The attack will lock your data. You’ll lose it. Remember, paying the ransom won’t guarantee you’ll get your data back. That’s why I told you that you have not much to do. The only left options won’t even satisfy you.

Here are my recommendations. If you’re hit by this ransomware, you certainly need a new device. Perhaps, not the best option. Especially, if you just bought the last device. But this is your best option for this moment. Why? Because your device most likely won’t get any update or patch from Google. So, that means a new device.

I know how it sounds, but this is no time to regret. In the future, try to avoid malicious websites. These websites most likely have been equipped with any sort of malicious app. Ransomware, trojan, and anything else. The good news is, most popular websites have their own security system to kick these threats. Google, Yahoo, CNN, Facebook, Amazon, and many else.

Also, do you have a secure browser? Browser like Google can secure your browser. It will notify you for any suspected malicious activity. Say goodbye to ransomware.

And here is my last advice. Always remember to backup your data. Your videos, music, document, pictures. All your important data. This ransomware may not attack all of them. But, who knows what it attacks? Maybe your most important data. Once they get it, I doubt they will give it back. That’s how serious ransomware attack is.

How to Remove Cyber Police Ransomware

There is still a debate on this. Some experts believe there’s nothing to do after a ransomware attack. But, let’s remember this. When there is a will, there’s a way. There is always hope for everything.

First thing first, never pay. Your money is the real ransomware target, not your data. Therefore, there is no guarantee you’ll get your data back. Not even after you paid the ransom.

Second, factory reset might help. A researcher at Blue Coat Labs proved this. He successfully removed the ransomware from a Samsung tablet using only factory reset. This is a good news. You can unlock your device. But, you know where it goes. Factory reset deletes all data in your device. It’s a pain, but worth if you want your device back.

(Once again, backup. It will solve your problem. You may lose your data, but not all of it. If you haven’t backed up your data, try connecting your device to a laptop/PC. Sometimes, you can still read your memory and pull back the data. Do this before the factory reset.)

This Cyber Police ransomware will lock your device. That means, you can’t go to Settings. You can’t factory reset your device from there. However, as I said, there is always hope for everything. If you can factory reset your device from there, you have another way to do it.

(PS: each device may differ. We try this on a Samsung device)

1. Turn off your device.
2. Press and hold Volume up, Home key, and Power button. Wait until the Samsung logo appears.
3. Once the logo appeared, release ONLY your device Power button.
4. You will enter the Android system recovery screen.
5. Use the Volume Up/Down button to select Wipe Data/Factory Reset.
6. A reset confirmation will appear. Use Volume Up/Down button to select “Yes.”
7. Press your device Power button to confirm.

Some Android users reported that these steps didn’t work. Somehow, the ransomware prevented them from doing so. Other users reported a problem while backing up their data. They tried PC-Android backup, but apparently can’t access the data. In either of these conditions, reboot your Android device into safe mode.

Here are the complete steps:

1. Keep your device ON.
2. Press and hold your device Power button for a few seconds. Release the button once you see the shut-down prompt.
3. Find the Power Off option. Tap and hold there for a few seconds. Release after you see the “Restart in Safe Mode” prompt.
4. Tap Yes.
5. Open Settings.
6. Open Applications.
7. Choose Applications Manager
8. Head towards Downloaded tab.
9. Find anything you don’t recognize. Then delete it. The ransomware should be one of them.
10. Once done, turn off your device.
11. Reboot your device to its normal state.

Hopefully, this step will help you remove the ransomware and unlock your device. Try for a few times if it doesn’t work.

If neither steps work, perhaps it’s the sign you need a new device.