Just another day in the world of Android. A latest exploit dubbed "Cyber Police" has been doing the rounds, affecting millions of Android devices. The ransomware installs itself on your Android device, locks it, and then demands to be paid via - wait for it - the iTunes gift card!
Unlike other malware threats, this latest threat downloads automatically without the user knowing anything about it. The malware masquerades as a warning from the U.S. government's intelligence agencies and installs itself after a user visits some compromised websites. First reported by Blue Coat and then confirmed by Zimperium Labs, the Cyber Police Android ransomware prevents users from doing anything on the device, until a ransom of $200 is paid in iTunes gift cards.
Why named Cyber Police?
If you too are wondering why this malware is called the Cyber Police, it's mainly because of how it works. Serving the exploit using certain compromised websites, including porn domains, the message appears to a user from the U.S. government explaining that the device has been locked because the user supposedly browsed illegal websites. Presenting itself as a law enforcement intervention into your browsing habits, it also warns the victim that their history is stored in the database of the U.S. Department of Homeland Security.
The researchers have said that this might be the first time an exploit kit has been used to install malicious apps on a device without any user interaction on the part of the victim. The attack doesn't even show the application permissions dialog box that appears before installation of any Android app. The exploit kit that is being used to deliver this latest ransomware to Android devices has used several vulnerabilities to install malware onto the victim's device silently in the background. An exploit used in the attack was leaked during the Hacking Team data breach, security researchers at Blue Coat and Zimperium have confirmed.
The good news - you don't have to pay!
Unlike other ransomware cases, this threat doesn't encrypt data. This essentially means that you can retrieve your data by connecting your Android device to a PC and then factory reset it. Factory reset would remove the threat along with all of your data from the affected device.
The ransomware doesn't threaten to (or actually) encrypt the victim's data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes. That's unusual because it's far more common nowadays for ransomware to demand non-trackablecryptocurrency, like Bitcoins. In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them.
First documented in December 2015, the newer behavior has only been in existence since this February. If you are using an Android device that is still on Android 4.0.3 to Android 4.4.4, you can fall victim to this attack. However, those on Lollipop or Marshmallow are safe from this latest Cyber Police ransomware.
For technical details and a list of the affected domains, please visit Blue Coat.