At least 2 Android users lost about $100k in CPF savings after installing apps

SINGAPORE - At least two Android users have lost no less than $99,800 of their Central Provident Fund (CPF) savings in June, due to scams involving malware.

In a statement on Saturday, the police said that the victims had come across advertisements marketing groceries like seafood on social media platforms, including Facebook.

The victims then contacted the businesses through their social media platform or WhatsApp.

They were then sent a URL to download an Android Package Kit (APK) file, an application created for Android’s operating system, to order groceries and make a payment.

Apps or APK files from the Internet or a third-party could contain phishing malware.

APKs are installation files for Android apps that can be downloaded from the Internet and third-party app stores, instead of the Google Play Store.

The victims are unaware that the application contains malware that allow scammers to access the victims’ device remotely and steal passwords. This includes Singpass passcode, among other things, which have been stored in the victims’ device.

“The scammer might also call the victim to ask for their Singpass passcode, purportedly to create an account on the application,” said the police.

Victims were then directed to fake bank application login sites to key in their banking credentials to make payment within the app.

The malware with keylogging capabilities would then capture the credentials keyed by the victims in the fake banking sites and sent to the scammer.

The scammers were then able to access the victims’ CPF account remotely using the stolen Singpass passcode and requested to withdraw the victims’ CPF funds through PayNow.

Once the CPF funds are deposited into the victims’ bank accounts, the scammer accessed the victims’ banking application and transfer the CPF funds away via PayNow.

The victims would only realise the scam when they discover unauthorised transactions made to their bank accounts.

The police reminded the public of the dangers of downloading apps from third-party or dubious sites that can lead to malware being installed on victims’ computers, mobile phones and other IT devices.

Scammers trick victims to install malware-infected apps that are not on the app store, police said, advising the public not to download any suspicious APK files on their devices as they may contain phishing malware.

The police also advised the public to adopt precautionary measures, such as updating their devices with the latest security patches and report any fraudulent transactions to the banks immediately.

[[nid:564864]]

For more information on scams, people can visit www.scamalert.sg or call the Anti-Scam Hotline on 1800-722-6688.

Anyone with information on such scams may call the police hotline on 1800-255-0000 or submit information confidentially online at www.police.gov.sg/iwitness.

Mobile device users can also learn more about protecting themselves against malware at https://www.csa.gov.sg/alerts-advisories/Advisories/2021/ad-2021-008.

In recent months, similar cases have occurred here.

For example, in June, a 34-year-old woman lost close to $30,000 after scammers took control of her phone when she downloaded a third-party app.

Separately, at least 113 Android phone users had their banking credentials stolen in phishing scams since March, with losses amounting to at least $445,000.

This article was first published in The Straits Times. Permission required for reproduction.