Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
The majority of victims were aged 30 to 49, and were most frequently targeted on Facebook and Instagram.
SINGAPORE: Malware-enabled scams involving Android mobile devices led to at least S$34.1 million (US$23.3 million) in losses last year, though the numbers fell towards the end of the year due to a slew of measures rolled out by the authorities and banks.
In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
The Singapore Police Force (SPF) released these latest figures in their annual scams and cybercrime brief on Sunday (Feb 18), which showed a continued rise in the overall number of scams.
Android malware scams became a particular concern last year when the number of cases surged, prompting several public advisories by government agencies.
When SPF released statistics for the first half of 2023, there were more than 750 cases during that period with victims losing at least S$10 million. This included 11 cases involving the unauthorised withdrawal of at least S$218,000 in Central Provident Fund (CPF) savings.
The numbers for the third quarter of 2023 then jumped to 933, before drastically falling to 279 in the fourth quarter.
The majority of malware-enabled scam victims in 2023 were aged 30 to 49, making up 43.7 per cent of victims. Scammers most frequently used Facebook and Instagram – both owned by Meta – to contact victims.
Q1Â 2023 | 162 |
Q2 | 525 |
Q3 | 933 |
Q4 | 279 |
Scammers deceive Android users into installing malicious apps. They then access the victims’ devices and steal sensitive information to perform fraudulent monetary transactions, stealing funds such as CPF savings.
In their press release on Monday, SPF said that victims generally responded to advertisements for services – such as home cleaning, food purchases and pet grooming – on these social media platforms.
Victims received a web link over WhatsApp from the scammers who posted the ads – under the pretext of asking them for payment.
The link required the victims to download an Android Package Kit file, which is an app created for Android’s operating system, except they contain malware.Â
After this, fraudsters were able to obtain the victims’ internet banking credentials or card details. The victims then discovered unauthorised transactions on their bank accounts or cards.
In 2023, the police conducted multiple operations against malware-enabled scams, arresting more than 140 people. More than 30 of them were prosecuted in court for offences such as disclosing their Singpass credentials, as well as conspiring to cheat a bank into opening an account.
Responding to what seems like a Facebook or Instagram ad for a good deal could lead to your bank account being emptied. Here are the tell-tale signs that your phone is infected by a malware app, and what you can do before it’s too late.
ANTI-MALWARE MEASURES
SPF detailed a series of measures that were implemented last year to combat the spike in Android malware scams.
In August, OCBC became the first bank in Singapore to block some customers from using its internet banking and mobile banking app if it detected potentially risky apps downloaded from unofficial portals. The move drew flak from customers at the time.
Since then, OCBC has prevented 276 customers from losing S$38.8 million. This was based on customers’ reports that they sideloaded a suspicious app and observed anomalies on their devices, or suffered losses from other banks due to malware-enabled scams, said Ms Loretta Yuen, OCBC’s general counsel and head of group legal and compliance, last Thursday.
Various banks also rolled out upgraded versions of their apps with anti-malware measures.
“Since then, malware-enabled scam cases have started to decline drastically as more people had their banking apps upgraded,” SPF noted.
In November 2023, Singapore’s three local banks – DBS, OCBC and UOB – introduced a money lock feature that allows customers to set aside part of their money in their bank accounts that cannot be digitally transferred.
As of January, more than 49,000 money lock accounts have been set up, with more than S$4.2 billion set aside, said SPF. Other major retail banks will progressively introduce the money lock feature by June.
In January, the director of the Association of Banks in Singapore said the banks will continue to improve on the design of their money-locking features over the coming months.
Currently, DBS and UOB customers have to set up new accounts to use the banks' money-locking features. OCBC customers do not have to set up a new account.
OCBC’s Ms Yuen told reporters that as of Feb 9, S$4.4 billion has been locked across more than 40,000 OCBC accounts. About a third of these customers are aged 50 or above, while close to half of them are between 30 and 50 years old.
Ms Yuen cautioned that malware scammers’ methods are evolving, with OCBC seeing more scammers circumventing the anti-malware measures by guiding their victims step by step on how to do so and resulting in seemingly authorised transactions.
The bank is exploring two new measures but will give more details in the future, said Ms Yuen.
One such measure aims to detect scammers who are accessing victims’ banking apps without exerting pressure on the mobile phones. Another measure involves experimenting with “cognitive breaks”, such as changing certain wordings in OCBC’s banking app to “break the spell” of being scammed.