Android users lose $2.4 million to malware scams that use Facebook and TikTok ads as bait
Sign up now: Get ST's newsletters delivered to your inbox
Victims would encounter payment issues and be lured into installing malicious apps on their devices.
PHOTO: SINGAPORE POLICE FORCE
Follow topic:
SINGAPORE – Android users who come across Facebook or TikTok advertisements for goods and services that offer them an option to leave their contact details to indicate their interest have to be careful.
It could be scammers looking to lure victims into installing malicious apps on their devices, the police said in a release on April 17.
At least 128 cases have been reported since February and victims have lost at least $2.4 million, the police added.
After victims leave their contact details to indicate their interest in particular goods or services on a Facebook or TikTok advertisement, scammers would contact their victims through WhatsApp messaging and request a token sum as membership fee payment or an upfront deposit to be made via a URL link.
After the victims enter the payment website and key in their credit or debit card or i-banking login details, they would encounter payment issues.
To resolve the problem, scammers would deceive the victims into downloading a malicious app, in an Android Package Kit (APK) file format, sent through WhatsApp.
The malware would allow scammers to remotely access the victims’ devices to steal sensitive information such as SMS OTPs when the victims try to make payment for the membership fee or deposit.
After having obtained the victims’ card details and access to their SMS OTPs, scammers would perform unauthorised card transactions either from the victims’ mobile devices or their own.
In some cases, before downloading the malicious APK file, victims would also be guided to disable their Google Play Protect that helps to prevent harmful downloads.
Once Google Play Protect is disabled, victims would not receive alerts that there is malware introduced into their mobile phones.
Victims may also be asked to download virtual private network apps from Google Play Store that would facilitate scammers’ connection to their Android device.
Scammers would then be able to bypass the banking anti-malware measures and remotely access the victims’ banking accounts with the phished i-banking login credentials.
Disable “Install Unknown App” or “Unknown Sources” in your phone settings, said the police, and do not grant permission to persistent pop-ups that request access to hardware or data on your devices.
Download and install apps only from official app stores like the Google Play Store and be wary if you are asked to disable Google Play Protect or download unknown apps.
In 2024, scam victims in Singapore lost $1.1 billion
In total, victims in Singapore have lost more than $3.4 billion to scams since 2019.
