Setup & Transfer system application detected as malware

[roybot]

Today (4/2/18) Malwarebytes Mobile is detecting the system application Setup & Transfer as the following:

Android/Trojan.Banker.Hqwar.i

This is a pre-existing (I think AT&T?) system application which cannot be removed only disabled - I also get a prompt asking if I want to whitelist it which I have not.  There was only one other user who posted about this in the Malware Removal for Mobile forum (sorry if this is considered a cross-post).  Has anyone else encountered this today?  Any chance it is just a false positive? 

App version: 3.2.1.2 and Malware database is 2018.04.02.01

 

[hikw-qedxw]

I received the same results about SETUP & TRANSFER on a AT&T device and another family member got the same result about Setup & Transfer from a different Security program as well.   So I am "guessing" it is not a false positive.  I reported this to AT&T.

It's located in:  /system/priv-app/ready2Go_ATT/ready2Go_ATT.apk

[Yazzball]

I have seen this as well.

I don't think it is a false positive either, because i've had a fake amazon application appear on my screen that went nowhere at the login, multiple login requests from my phone for my main email at weird hours, and INCREDIBLY slow everything on my phone all of a sudden.

I have factory rest twice (both in different ways), and the second time almost got stuck rebooting. Did another scan, still there. 

It could be coincidence on my end, but I pay really close attention to everything on my phone, and there has definitely been a change on it (s7 edge) . 

I hope this gets fixed, I don't feel safe doing much on my phone, not even texting or calling. 

[roybot]

Hmm this is happening on my new AT&T GS9+. I've also scanned with ESET and AVG and those aren't detecting it. 

[thelordpuffer]

I have an S8+ on AT&T, and Malwarebytes just ran it's daily scan and found this on mine also in Setup & Transfer.  I think that it's probably a FP, so I'm not going to try to get rid of it as of yet.  I'm going to follow this thread and wait for further info first.

[Ericpro1]

Come on now Malwarebytes!!!!!!.....I received the same results about SETUP & TRANSFER on a AT&T device  as well.   I had Malwarebytes on my system for a while and all of a sudden it popped up last night causing a great deal of pain.  i am wiped my device factory reset my device and it still shows up.   No offense but i am thinking about throwing this software away if this is all a FP..  I am already paranoid.. and the answer AT&T gave me really pist me off...  The rep told me mobile devices never get viruses or malware which couldn't be further from the truth.  I thought maybe something came OTA (over the air)  because i don't surf on my phone.
It's located in:  /system/priv-app/ready2Go_ATT/ready2Go_ATT.apk

[MisterWeather]

Add my name to the list of users with the same Malware alert on the same AT&T file; Samsung S7. Did a hard reset of the phone and it still shows up on the native app. I too have disabled the app as it cannot be removed without rooting the phone. Since I don't want a bricked phone, I'll wait to see if this is a FP or if removal instructions are forthcoming.

[Pope54]

Add me to this list. If some users still have it after factory reset could it be assume to be a false positive? This app has been there since my last factory reset. 

[thelordpuffer]

13 minutes ago, Pope54 said:

Add me to this list. If some users still have it after factory reset could it be assume to be a false positive? This app has been there since my last factory reset. 

I would wait until someone from Malwarebytes confirms that it's a FP.  I assume that it is a FP, but am not doing anything with it right now.  My phone is as fast as always so I see no ill effect.

[Yazzball]

1 hour ago, Ericpro1 said:

Come on now Malwarebytes!!!!!!.....I received the same results about SETUP & TRANSFER on a AT&T device  as well.   I had Malwarebytes on my system for a while and all of a sudden it popped up last night causing a great deal of pain.  i am wiped my device factory reset my device and it still shows up.   No offense but i am thinking about throwing this software away if this is all a FP..  I am already paranoid.. and the answer AT&T gave me really pist me off...  The rep told me mobile devices never get viruses or malware which couldn't be further from the truth.  I thought maybe something came OTA (over the air)  because i don't surf on my phone.
It's located in:  /system/priv-app/ready2Go_ATT/ready2Go_ATT.apk

Yeah, i'm getting paranoid as well, and thank you for saving me a call to them..

The answer you got from AT&T is very troubling, but I guess that's just what they are told to say to cover themselves. 

Please Malwarebytes, i've stood by you guys and you have caught so many actual issues on my computers and phones in the past, just a little help would be good :} 

[darrelllw]

Me too! Will not delete.

[MetaEd]

Threat detected.

MWB version 3.2.1.2, malware database 2018.04.02.01, phishing database 2018.03.31.02.

Path: /system/priv-app/ready2Go_ATT/ready2GoATT.apk

System: SAMSUNG-SM-G891A, Android 7.0, kernel version 3.18.31-13107193 dpi@SWDG5121 #1 Thu Feb 22 17:55:32 KST 2018, baseband version G891AUCU2BRB5. This is a Samsung Galaxy S7 Active.

[jimw15]

26 minutes ago, darrelllw said:

Me too! Will not delete.

Add me to this list I have an AT&T S7 Edge.

Malwarebytes what say you?

[Twitterp8ted]

I'm having the same issue Samsung S8A on ATT. 

4/3/18

[kuyapj]

I am also having this issue. I have a Galaxy Note 8 on ATT. Best I was able to do is disable the app, force stop, revoke all permissions, and prevent from making changes to system settings.

[SeanBG]

Same thing. AT&T Samsung 7 Edge.  

[databass]

I've also received alert, on a brand new Galaxy S8 Active. I've barely even used it yet & I've had Malwarebytes on phone since I walked out of at&t store, I have disabled but can not delete. Waiting on a offical response, getting paranoid after reading up a little on what trojan.banker.hqwar is designed to steal bank info. PLEASE HELP ASAP!

[Squids]

I also received an alert last night, tried factory reset, etc., and no luck. I have an AT&T Samsung S7, but I use another carrier, so every time I've ever started it, I get a notification that Setup and Transfer is a service that is unavailable. So, could it still affect my phone?? Very worried here, too!

[SuperJ]

Add me to the list, S6 Active, Set up & Transfer, infected, need answer from Malwarebytes.

[CYZCO]

+1

[AlexSmith]

The Malwarebytes for Android team is aware of this false positive issue and an update to fix this will be released soon.

[tshafer]

Same here. Hopefully someone can shed some light on this for everyone. Seeing the words "Trojan" and "Banking" next to each other almost gave me a heart attack. I've already had fraud issues recently.

[whittlebrother]

+1

[asimon]

Same here; i have a Galaxy S7 and same critical threat detected in Setup & Transfer App:   Android/Trojan.Banker.Hqwar.i

 

[databass]

1 hour ago, AlexSmith said:

The Malwarebytes for Android team is aware of this false positive issue and an update to fix this will be released soon.

Thanks for the reply Alex, hope you're right. Does seem strange being my device is new and barely used.