10 people, including 16-year-old youth arrested for suspected involvement in malware scams

In an island-wide anti-scam operation, the Commercial Affairs Department (CAD) and Police Intelligence Department (PID) arrested nine men, aged between 18 to 43, and a 16-year-old youth for their suspected involvement in a recent spate of banking-related malware scam cases.

Another three men and three women, aged 17 to 60, are assisting in investigations.

The police said in a statement that they have received increasing reports informing that malware was used to compromise Android mobile devices, resulting in unauthorised transactions made from the victims' bank accounts even though they did not divulge their Internet banking credentials, one-time-passwords (OTPs) or Singpass credentials to anyone.

In these cases, the victims responded to advertisements like those for cleaning services, pet grooming, and food items such as seafood and groceries on social media platforms like Facebook.

They were later instructed by the scammers to download Android Package Kit (APK) files from third-party app stores in order to make purchases.

This would result in malware being installed on the victims' mobile devices.

The scammers then convinced the victims via phone calls or text messages to turn on accessibility services on their Android phones.

This weakens the phones' security and allows the scammer to take full control of the phones so scammers can log every keystroke and steal banking credentials stored in the phones and allows the scammer to remotely log in to the victims' banking apps, add money mules as payees, raise payment limits and transfer monies out to money mules.

The scammers can further delete SMS and email notifications of that bank transfer to cover their tracks.

Preliminary investigations revealed that the 10 suspects had allegedly facilitated the scam cases by relinquishing their bank accounts, Internet banking credentials and/or disclosing Singpass credentials for monetary gains.

Police investigations are ongoing.

The police urge members of the public to exercise caution when downloading apps, the police said suspicious links, QR codes, third-party websites and unknown sources should be avoided.

Besides downloading apps from official app stores, they recommend checking the number of downloads and user reviews before clicking on the install button.

"Always be wary of any requests for banking credentials, money transfers or attractive offers that sound too good to be true.

"Members of the public are advised to turn on security settings, such as disallowing installation of apps from unknown sources, to help protect their devices," the police said.

If found guilty of acquiring benefits from criminal conduct, the suspects can be jailed for up to 10 years, fined up to $500,000, or both.

For deceiving banks into opening bank accounts that were not meant for their own use and relinquishing their bank account log-in details, the suspects are liable for two separate offences.

If found guilty of cheating, they can be jailed for up to three years, fined, or both. For breaking the law under the Computer Misuse Act, they can be jailed for up to two years, fined up to $5,000, or both.

For disclosing their Singpass credentials, they can be jailed for up to three years, fined up to $10,000, or both.

For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline on 1800-722-6688.