Woman who scanned QR code with malware lost $20k to bubble tea survey scam while she was sleeping

The woman visited a bubble tea shop and saw a sticker encouraging customers to do an online survey to get a free cup of milk tea. PHOTO ILLUSTRATION: PEXELS

SINGAPORE - She visited a bubble tea shop and saw a sticker pasted on its glass door, encouraging customers to do an online survey to get a free cup of milk tea.

Enticed by what seemed like a good deal, the 60-year-old scanned the QR code on the sticker and downloaded a third-party app onto her Android phone to complete the “survey”.

That night, as she was sleeping, her mobile phone suddenly lit up.

Thanks to the app she had downloaded, scammers used it to take over her device and moved $20,000 from her bank account.

Worryingly, she is not the only victim of such malware scams.

In April, the police and the Cyber Security Agency of Singapore warned the public about downloading apps from dubious sites that can lead to malware being installed onto victims’ mobile phones.

They said such malware has resulted in confidential and sensitive data, including banking credentials, being stolen.

That month, the police also alerted the public to the resurgence of phishing scams involving malware installed on victims’ Android phones. The police had said that since March, there have been at least 113 victims who lost at least $445,000.

The case of the bubble tea survey scam was related to The Sunday Times by Mr Beaver Chua, head of anti-fraud at OCBC Bank’s group financial crime compliance department, last week.

He said: “While malware scams are not particularly new, scammers are getting increasingly innovative.

“Besides website pop-up banners, which are most common, pasting bogus QR codes outside F&B establishments is another cunning way to hook victims as consumers may not be able to differentiate between legitimate and malicious QR codes.”

How the scam works

Mr Chua said that when the victim scans the QR code, he is prompted to download an app containing malware and is made to grant access to the phone’s microphone and camera.

He is also asked to enable Android Accessibility Service, an app intended to assist users with disabilities, which allows the scammer to view and control the victim’s screen.

The scammer waits for the victim to use his mobile banking app and notes his login credentials and password. The scammer can also disable the facial recognition function, so the victim has to physically key in his details to log into his account, allowing the crook to record the information.

The scammer then accesses the camera to monitor the victim’s activity, waiting for the right moment to strike.

At night, when the victim is sleeping, the scammer takes control of the phone through the malware.

He logs into the victim’s mobile banking app and transfers money out of his bank account.

Said Mr Chua: “This scam is so insidious because scammers take over the victim’s phone. And because victims lose control of their Internet banking account, they won’t even know when their savings have been completely wiped out.”

Mr Beaver Chua said scammers tend to paste these manipulated QR codes near authorised scan-to-pay signs, which trick customers into thinking they are legitimate. ST PHOTO: NG SOR LUAN

Mr Chua said scammers tend to paste these manipulated QR codes near authorised scan-to-pay signs, which trick customers into thinking they are legitimate.

University student Char Shao Wen, 25, who buys bubble tea twice a week, said she is alert whenever she scans a QR code at such shops.

“I drink bubble tea often, so hearing that such a scam exists is scary. And if they’re pasted near legitimate QR codes, I would imagine it will be a lot tougher to detect,” she added.

Mr Chua said scammers can also paste such deceptive QR codes on lamp posts near traffic lights, waiting for a victim to take the bait.

Mr Yeo Siang Tiong, general manager for South-east Asia at cyber-security firm Kaspersky, said businesses should stay vigilant to promotional stickers and QR codes that have been placed on their premises without their knowledge.

He warned customers, saying: “If the code looks tampered with or suspicious, consider asking the establishment for advice.”

Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore, said the risk of malware is not new and people have been warned of that for some time.

She said: “It remains critically important for everyone to practise cyber-security discipline by not clicking unknown links or installing unknown apps or software onto their devices. While banks will continue to do our part in surveillance and recovery efforts, the strongest defence against scams is a watchful and discerning public.”

In 2022, scam victims in Singapore lost $660.7 million, up from $632 million in 2021, bringing the total to almost $1.3 billion lost in two years.

There were 31,728 scam cases reported in 2022, up from 23,933 cases in 2021.

Why malware scams target Android users

Kaspersky’s Mr Yeo said Android operating system software is open source, allowing anyone to modify it.

He added: “This makes it easier for hackers to discover and exploit security vulnerabilities in the software in case of developer mistakes. In turn, this results in malicious apps finding their way onto Android devices easily, increasing the susceptibility of Android users to attacks.”

On the other hand, he said, iPhone users are less susceptible to malware scams via apps as iOS users can download apps only from the Apple App Store, which has stringent guidelines for app developers. This ensures only legitimate and secure apps are available to users.

But he added: “Although malware scams are less common in iPhone devices, they are not unheard of and are silently on the rise.”

Join ST's WhatsApp Channel and get the latest news and must-reads.