SINGAPORE — The Singapore Police have issued a warning to Android users after at least two individuals lost an aggregate sum of S$99,800 from their Central Provident Fund (CPF) savings due to a new kind of malware scam this June.
Victims reportedly stumbled upon advertisements for groceries, including seafood, on various social media platforms, primarily Facebook.
After reaching out to the businesses through social media or WhatsApp, they were directed to download an Android Package Kit (APK) file to place orders and process payments.
APKs are installation files for Android apps, which can be downloaded from the Internet and third-party app stores, as opposed to the official Google Play Store. These APK files could contain malicious software or “malware”, particularly those designed for phishing.
Unwitting victims, unaware of the hidden malware in the downloaded application, opened their devices to remote access by scammers. This allowed the cybercriminals to pilfer sensitive data such as Singpass passcodes and other stored information on the victims’ devices.
“The scammer might also call the victim to ask for their Singpass passcode, purportedly to create an account on the application,” the police cautioned.
Further exploiting the victims’ trust, scammers directed them to phony bank application login sites to input their banking credentials. Equipped with keylogging capabilities, the malware would record the information and transmit it to the scammers.
These cybercriminals, now possessing stolen Singpass passcodes, accessed victims’ CPF accounts remotely. They withdrew funds through PayNow, which were then deposited into the victims’ bank accounts. Subsequently, the scammers utilized the victims’ banking application to transfer the CPF funds away via PayNow.
Victims only detected the scam when they noticed unauthorized transactions in their bank accounts.
The police warned the public about the risks of downloading apps from third-party or dubious websites, stating that these sources can often lead to malware being installed on their devices.
They emphasized the criminals’ tactics of manipulating victims into downloading malware-laden apps unavailable on the official app stores.
The public has been strongly advised against downloading any suspicious APK files on their devices due to potential malware risks.
Additionally, the police have urged individuals to keep their devices updated with the latest security patches and report any fraudulent transactions to their banks immediately.
For more information on scams, people can visit www.scamalert.sg or call the Anti-Scam Hotline at 1800-722-6688.
Anyone with information on such scams may call the police hotline on 1800-255-0000 or submit information confidentially online at www.police.gov.sg/iwitness.