Android malware scam victims lost over S$10 million in first half of 2023: Police

SINGAPORE — More than 750 cases of Android device users falling prey to malware scams were reported in the first half of 2023, with 11 involving the unauthorised withdrawal of Central Provident Fund (CPF) savings, said the police on Wednesday (Sept 13).

The total amount cheated in these scams came up to at least S$10 million — including at least S$218,000 in CPF savings across 11 cases.

However, the police’s Anti-Scam Command recovered some of the CPF money, bringing down the net loss to about S$130,000.

These latest numbers from the Singapore Police Force's mid-year scams and cybercrime statistics showed a continuing rise in the overall number of scams in the first half of this year compared with the same period last year.

The growing spate of scams targeting Android users has prompted several public advisories by the authorities. Most recently in August, the police and Cyber Security of Singapore issued a joint advisory highlighting some tactics used by scammers.

Fraudsters are using increasingly sophisticated schemes to deceive people into installing malicious apps. They then access the victims’ devices and steal sensitive information to perform fraudulent monetary transactions, stealing funds such as CPF savings.

In their press release on Wednesday, police said that victims generally responded to advertisements for services — such as home cleaning and pet grooming — on social media platforms like Facebook and Instagram.

The scammers who posted these ads then sent the victims a web link over WhatsApp under the pretext of asking them for payment.

The link required the victims to download an Android Package Kit file, which is an app created for Android’s operating system.

After this, fraudsters were able to obtain the victims’ internet banking credentials or card details. The victims then discovered unauthorised transactions on their bank accounts or cards.

In June, a 16-year-old was among nine people nabbed by police for their suspected involvement in Android malware scams. In some cases, CPF savings were withdrawn and credited to the victims' bank accounts before being transferred out.

Most of those arrested had allegedly facilitated the scams by relinquishing their bank accounts or internet banking credentials, or by disclosing their Singpass credentials for monetary gains.

FURTHER MOVES BY BANKS, MAS

The Monetary Authority of Singapore and banks will “progressively introduce additional measures” to combat malware-related scams, as part of their anti-scam efforts, said the police on Wednesday.

In August, OCBC became the first bank in Singapore to block some customers from using its internet banking and mobile banking app if it detected potentially risky apps downloaded from unofficial portals.

This was a new security measure implemented to protect customers from malware, OCBC said at the time.

The move drew negative feedback from some users, who complained that apps like online payment platform Alipay were among those flagged by OCBC’s security measure.

The police said the security measure deals with the danger of downloading apps that are not from the official app stores. Malware-related scams are often carried out through apps downloaded from third-party or dubious sites.

“Such apps may contain malware and can result in confidential data, such as banking credentials, being stolen,” the police noted.

“While there may be some measure of added inconvenience for customers, these additional anti-malware measures are necessary to protect customers from malware-related scams.”

In June, additional authentication measures were also introduced to increase protection for CPF members in light of the rise in malware-related scams. Those who log in to their accounts using their Singpass may now have to go through face verification. CNA