ransomware

[ciliegia]

The other day I downloaded an app to my computer.  Ran it through my virus scan and then through Malwarebytes Enterprise.  Everything said it was clean.  So, I BT it to my cell phone (LG Fiesta), installed it, and my Malwarebytes Mobile stated that the file "might have ransomware."  My question is (kind of obvious): how could it be clean in one form of Malwarebytes (desktop...Enterprise) and possibly not in the other (mobile...premium)?  Both versions are, and were, up to date.

[gonzo]

I'm not sure what Malwarebytes Enterprise is, but a Windows or Mac version of Malwarebytes would use signatures designed for those operating systems as well as heuristics based on characteristics of those operating systems.  The same would hold true for Mobile.  While you may have the same program that runs on multiple operating systems (Windows, Mac and/or Mobile), they are put together differently based on the rules and requirements of the environment.  The way that ransomware would attack also differs from one OS to another.  All of that being said, I'm not surprised at what you reported.

[ciliegia]

Malwarebytes Enterprise is a version for the corporate world...or in my case, a University. 

Although I understand what you say, one question does remain:  why doesn't it say that there is ransomware and not possibly be ransomware? 

As to my particular situation, I do not leave data or wi-fi on all the time...they are rarely turned on and, more important, I do not use my credit cards or do any banking via the phone...ever.

[gonzo]

I hope your school is not using what we called Malwarebytes Enterprise Edition (MEE), because that is ancient and was replaced 3.5 years ago by another product that has continued to evolve.

Ransomware is not "a" thing, it is a collection of things.  Many or all of the ingredients may be present, but only after the process has begun can you tell that it is what you believe it is.  A poor analogy (which I will use anyway) is that you can have eggs, flour, water, salt and whatever else, but its not a cake until you combine them in the right order and prepare them in the prescribed manner.  Ransomware is similar in that regard.  You can wait, get screwed and know for sure, or recognize the extreme possibility and take precautionary steps.

I hope that answers it better.

[ciliegia]

Well, your analogy works. I will have to check which version of enterprise, but I think they began using it about a year ago. 

The app I installed was Greenify 3.7.1. I do not remember if I downloaded from Google play or another site. It was the donation file. I do know that my McAfee Mobile Premium scan, once updated to the most recent database, showed that it was clean.

[mbam_mtbr]

Hi @ciliegia,

I know I already answered this for you, but I'll re-iterate for others checking the forum: 

 

As already stated in the last forum post:

This warning is from our advanced ransomware scanner.  Apps that have elevated privileges and that have been installed using side loading (anything installed outside of Google Play) are flagged as potential ransomware.

Installation from outside the Play Store plus elevated privileges are big red flags. Therefore, we warn our customers that a suspicious app was installed that displays ransomware like properties. It’s up to the user to ignore our warnings or not.

Ransomware is particularity dangerous, and this warning gives users the ability to cut it off before it’s too late.

This feature is special to Malwarebytes for Android, thus why the desktop version wouldn't show this warning.  Also, the way that mobile detects things and the way that desktop does are completely different.  The best way to check APKs is to use VirusTotal were some vendors use both mobile and desktop to scan.  Unfortunately, at this time we only use the desktop version on VirusTotal so you'll have to run a scan on your mobile device using Malwarebytes for Android to see if we detect.

Thanks again for reaching out,

Nathan

[ciliegia]

I checked the version of Malwarebytes Enterprise that the University uses and it is the MEE version...which still updates the database.  What is the newer version, Gonzo, that you mentioned in your post that replaced it?

[gonzo]

The client (end-user) should have version 1.80.  There are two other number groups after that, but they are not significant.  The client went to that version a little over 2 years ago.  The Management Console is version 1.8, but you would not be able to see that unless you are the Malwarebytes administrator at your site and have access to the server.

[ciliegia]

Gonzo...thanks for your reply.  According to my computer, the version I have is:  1.80.2.1012 and it was built on February 9, 2016.

[gonzo]

I've been waiting for your reply!  If you have that version of client, you are most likely completely up-to-date.  That makes me feel better knowing your admins have kept up with the newer releases and kept you safer in the process.

[ciliegia]

One last question:  does this version of Malwarebytes have anti-exploit built in to it?

[gonzo]

1.80 does not have Anti-Exploit technology in it.  That is a separate product.

[davidryan]

we are totally insecure over internet, these kind of malwares and ransomware are totally out of our control. I was reading an article about this, great to know, must read https://www.ivacy.com/blog/bad-rabbit-things-you-need-to-know-about-this-ransomware/

[Lutzkhie]

if i were me, i will first install the app on an emulator such as memu or bluestacks, scan it there, test it for a few minutes, if everything is good, transfer it to my phone
the emulator acts as a sandbox, its like testing something before actually installing directly to your phone

[andyjames77]

that's true. we are not secure on the internet because we have globally connected to satellite. so there is a big chance that you received a virus from different servers which also connected on it and there is only one solution, FastestVPN which I trust on it, there are many VPN provider who provides security but they are not because they have some leakage in their security. they just only change your IP but not provide you security overall.