Advisory on the Emergence of Malware Scams In Singapore

There is an emergence of scams involving malicious software or “malware” that infects android devices, enabling scammers to siphon out funds from bank accounts (and in some cases CPF accounts). From January to June 2023, there were more than 700 reports of malware-related scams with losses in these cases amounting to $8 million. Eight of these malware scams involved CPF savings with an aggregate net loss of $124,000. In such malware scams:

1. The victim uses his phone to click on a Facebook or other social media advertisement selling an item at a steep discount.
2. The victim receives a link from the “seller” to download an Android Package Kit (or APK) from a non-official app store to facilitate the purchase.
3. Opening the APK installs a malicious application on the phone.
4. Once installed, the scammer convinces the victim via phone call or text message to grant the app accessibility permissions on his Android phone.
5. This allows the scammer to take full control of the phone, and to steal the victim’s banking credentials.
6. The scammer may also log in to the victim's CPF account through Singpass to make a withdrawal. Although CPF withdrawals can only be paid to a bank account verified to belong to the CPF member, the scammer can subsequently transfer the money out from the victim's bank account using the stolen banking credentials from the phone.