Jump to content
GammaRayBurst

You've Won a Free iPhone Virus; App not Fully Installing, Beta Pgm Full?

Recommended Posts

Hello,

Late yesterday afternoon I got what I'm sure is a virus on my phone (possibly as a result of using the free wifi at my local library). It was an alarm "event" that was going off, saying "You have won an iPhone..." with options for dismiss or snooze. I knew that you never want to click on something like that, so I didn't want to use the buttons to dismiss it. I clicked the home button, but it didn't work. So I powered off the phone and restarted. The alarm event was gone, but then I started seeing notifications saying the same. They had an odd icon to the left of them, nothing I wanted to click on. I swiped right to dismiss them.

The first thing I did was go to my PC and change the password on the two Gmail accounts that I usually leave logged in. I read something I found through a Google search that said it may have been related to Chrome, so I closed the browser, and the notifications seemed to stop, but I don't know what might remain infected.

I booted into safe mode, reconnected my Google accounts, then deleted all the updates in Chrome, and reinstalled the browser. I have not re-synched it at this point.

I knew that I need an anti-malware app, and have Malwarebytes on a desktop computer, so I searched Google and found a page at support.malwarebytes.com/docs/DOC-1308, which directed me to go to Google Play Store and type in "Malwarebytes for Android." I went through the installation, but when I went looking for the app on the apps list to open it, the app wasn't there. Neither was there an "Open" button on the Google Play Store page. Then I noticed that on that same page was a section titled "Beta program is full," and underneath that: "The beta program for this app is currently full."

Thinking that I had installed some beta app by mistake, I uninstalled it, then went to Malwarebytes's main website and followed a link for the Premium Malwarebytes for Android app, then clicked through to Google Play Store for the premium Android app, which seemed to have a different title, "Malwarebytes Security: Virus Cleaner, Anti-Malware." I went through the whole installation again, but again noted no app in the apps list, and a message that the "beta program is full." However, the app shows 10M+ downloads! That sounds wider than a beta program to me.

What's odd is that, in both cases, there actually IS an app listed under Settings >> Application Manager >> Downloaded apps, saying Malwarebytes 60.16 MB. The Google Play Store page says that the app is version 3.7.2.1, and was last updated August 5, 2019.

Even after restarting (back into Safe Mode), it's still not listed in my apps list (only under Application Manager >> Downloaded).

Somewhere I read (but now can't find it) that the app supports version 4 point something and above. I have Android version 5.1.1. (It's a cheapie Samsung prepaid phone that I bought a couple years ago, but Verizon hasn't pushed down any system update since early 2018.)

So, what gives? Why can I not get this app to fully install and run? Is this an effect of the virus? Or might there be another issue preventing a completion of the installation, such as space requirements? (I have ES File Explorer, but it can't be run in Safe Mode, so can't check space.) Oddly, I don't believe I see a folder for it under My Files, but then it might be hidden.

Thanks for your help.

 

Share this post


Link to post
Share on other sites

Hi @GammaRayBurst,

To start, the pop up was most likely browser related.  This is caused by the way most browsers handle redirections executed by javascript code.  Most browsers don't do a great job of preventing these redirects, which also cause ad pop-ups.  Advertising affiliates are aware of this, and exploit this weakness.  Even if an advertising affiliate is shut down for using this exploit, they just come back with a different affiliate id and are right back at it.

If you encounter these pop-ups again, back out of them using Android's back key. Also, clearing your history and cache will help stop the ads from reoccurring.

Next, as far as the installation of Malwarebytes for Android, are you able to open the app?  Your best bet is to send a ticket to your support staff -> Malwarebytes Support

Nathan

 

Share this post


Link to post
Share on other sites

Hi Nathan.

I didn't want to do that "responding to my own post" thing before I got a reply, as I know that's sort of frowned upon.

Yes, I was certain that it was Chrome browser related after reading on an androidcental forum that I should boot into safe mode, delete the Chrome updates, then reinstall, which I did. (Does doing that delete the former browser cache?)

I figured out the installation issue.

Ever since I added a 32GB SD card to the device, it has been installing all apps to the SD card, not sure why. While looking at my apps list in Safe Mode, I took note of which apps were grayed out and off limits while in Safe Mode. I suddenly noticed a pattern----they were all apps installed on the SD card. I then realized that the SD card was probably not mounted in Safe Mode, and I would probably need to uninstall MBAM, reboot into normal mode with SD card mounted, and reinstall...

I did that, and I was able to install the Premium version just fine, came up on Google Play Store page with the Open button, etc. (Apparently when the install fails for ANY reason, the Google Play Store message defaults to "the beta program is full." )

I did a scan, and it came up clean. So far, knock on wood, it has not recurred. And with MBAM installed, hopefully no redirects. I know that it does a great job on my desktop computer.

***

I noted that the "You have won..." looked like an alarm going off. It had the red dismiss button and the yellow snooze button. But it said "Event" in tiny letters, and was blocking the function of the Home button. I can't recall if I tried the Back key. (I tested an alarm, and it says "Alarm" in tiny letters, not "Event." Plus, the Home button still retains its function.)

How is it that Chrome adware could inject such a thing---overriding Home button function---when my phone isn't jailbroken? You wouldn't think Google would give ANY app that sort of override.

***

Does MBAM for Android protect against ransomware if you don't use the Administrator function? I know that these days most malware is probably ransomware. Or at least a very high percentage of it is?

If I do use the Admin function, it enforces a screen lock with a strong password? My only complaint about that is that the screen lock is activated every time the screen times out, which on mine (to save power) is five minutes. So, every time my phone times out, instead of simply swiping, I'd have to enter a strong password? If that is the only true way to protect against ransomware, then I guess I'd need to seriously consider it. It's annoying that we have to suffer such inconvenience to simply use our phones.


 

Share this post


Link to post
Share on other sites

It is a malvertisement and is web based and not based upon what's on your device.  However, the malvertising web site will use the device's User-Agent and GeoIP to perform victim specific targeting.

Share this post


Link to post
Share on other sites

Hi @GammaRayBurst,

Glad you figured out the install issue.

As far as ransomware detection, yes, we require device admin rights.  Luckily, ransomware is on the decline as of recently.  However, as nasty as it is, it's worth protecting against.

Please note that Malwarebytes for Android does not use device administration rights for erasing mobile devices, nor any other drastic actions.

Ransomware is particularity dangerous, and if given device administration rights (accidentally), it can render the device unusable.  By giving Malwarebytes for Android device administration rights, we can remediate ransomware even after it is given privileged rights.

For example, some ransomware may change the device’s user pin.  We can remediate this if given device admin rights to reset the pin (via SMS commands).

Also, device admin rights protect Malwarebytes for Android from being uninstalled by malware.

If you would prefer to not give Malwarebytes for Android device administration rights and forgo protection from ransomware, our application will continue to run without those rights.

As far as a password for lockscreen goes, yes it is pain, but not a bad idea to have it locked.  You can just use a simple pin/pattern.  You can adjust how long it takes the screen to lock separately from the time it powers off the screen.  It should be in your security settings.

Nathan

Share this post


Link to post
Share on other sites

Thank you for the good answers.

I guess it's always a choice between ease of use versus absolute security. We live in a different time now.

One thing I had done fairly recently that was different was that I had used the free wifi at our local public library, about 6:30pm on a Saturday. That may have opened me up to something.

A couple more questions:

What user information is malvertising like that able to grab from the browser and/or my system on my phone? I worried that my gmail passwords could have been compromised, because  my phone automatically reconnects to my two different Gmail accounts.

Is most ransomware today directed toward larger enterprises with more money? I was just listening to NPR radio this afternoon, which had a segment about ransomware against city governments. The ransom was over $400K. I've also heard of hospitals being attacked, so I was thinking that maybe they've shifted to attacking enterprises that: a) are critical to the functioning of government or healthcare services; and b) have deeper pockets than individuals. Or are there still a lot of individuals falling victim?

I almost never click on unknown websites, but this malvertising is always a source of danger. I don't mind the ads for things I've recently shopped for. I suspect it's the sites that pull just random ads that are the problem, as it's the luck of the draw with those. It's a lot like playing Russian roulette every time you pull a random ad. I don't see why malvertising can't be stopped. The screening on those definitely needs to be beefed up.

Was I right that if I had clicked on any of the "alarm" buttons on this particular "You have won," then there could have been either identity theft or ransomware behind it?

As always, thank you for your help. 

Share this post


Link to post
Share on other sites

Malvertising is not meant to harvest information per se.  It is meant to present some kind of Social Engineering fraud.  It could be; You Won, Your software X needs to be updated, it could be a fake news report pushing some Snake Oil product or it could be a FakeAlert. 

Some Examples of FakeAlerts:
FakeAlert-Screens.pdf  /  Flash Version

 

There are different flavours of Ransomware and they have different target audiences.  It's all about the money ( in BitCoin form ).   Obviously a corporate victim would get a higher value ransom that an individual.

" Was I right that if I had clicked on any of the "alarm" buttons on this particular "You have won," then there could have been either identity theft or ransomware behind it? "

Doubtful.  They might try get you to divulge Personally Identifiable Information ( PII ) to use in other schemes and/or they could try to push a Snake Oil Remedy, get you to use some product, access a particular web site or other objective to obtain affiliate revenue.

Different scam have different results and you are mixing them all up.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.