Follow us on Telegram for the latest updates: https://t.me/mothershipsg
The Singapore police has issued an advisory on June 17 to alert the public using Android devices on the emergence of scams involving malware.
This was after losses from victims’ Central Provident Fund (CPF) accounts, as well as bank accounts, have occurred.
Since June 2023, the police have received at least two reports of such cases, with the CPF savings loss amounting to at least S$99,800.
How scam works
Downloading of app from scammer
Members of the public would come across advertisements for groceries, such as for seafood, via social media messaging platforms like Facebook.
Victims would contact the scammers via the social messaging platform or WhatsApp and the scammers would send a uniform resource locator (URL) to the victims.
The scammers would inform the victims to download an Android Package Kit (APK) file, an application created for Android’s operating system, found at the URL to order groceries and make payment.
App contains malware that can steal passwords & passcodes
Unknown to the victims, the application would contain malware that allowed scammers to access the victims’ device remotely and steal passwords, including the Singpass passcode stored in the device.
The scammer might also call the victim to ask for their Singpass passcode, purportedly to create an account on the application.
Fake login sites
Victims would be directed to fake bank application login sites to key in their banking credentials to make payment within the application.
The malware with keylogging capabilities would then capture the credentials keyed by the victim in the fake banking sites and send it to the scammer.
Access CPF account, transfer funds out
The scammers would then access the victim’s CPF account remotely using the stolen Singpass passcode and request to withdraw the victims’ CPF funds via PayNow.
Once the CPF funds are deposited into the victims’ bank accounts, the scammer will access the victims’ banking application and transfer the CPF funds away via PayNow.
The victims would only realise the scam when they discover unauthorised transactions made to their bank accounts.
Do not be tricked
The police reminded members of the public of the dangers of downloading applications from third-party or dubious sites that can lead to malware being installed on victims’ mobile phones, computers, and other Information Communications Technology (ICT) devices.
Scammers will trick victims into installing malware-infected applications that are outside the app store.
Members of the public are advised not to download any suspicious APK files on their devices as they may contain phishing malware.
Precautionary steps to take
The police advised members of the public to adopt the following precautionary measures:
a) ADD - anti-virus/ anti-malware applications to your device.
Update your devices’ operating systems and applications regularly to be protected by the latest security patches.
Disable “Install Unknown App” or “Unknown Sources” in your phone settings.
Do not grant permission to persistent pop-ups that request for access to your device’s hardware or data.
b) CHECK - the developer information on the application listing as well as the number of downloads and user reviews to ensure it is a reputable and legitimate application.
Only download and install applications from official app stores (i.e., Google Play Store for Android).
c) TELL - Authorities, family, and friends about scams.
Report any fraudulent transactions to your bank immediately.
The public can call the police hotline at 1800-255-0000, or submit a report online at www.police.gov.sg/iwitness for scam-related crimes.
All information will be kept strictly confidential.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688.
To find out more about malware and the preventive steps that users can take to protect their devices, please refer to CSA's SingCERT advisory.
Top photos via SPF & Unsplash