Android users lose almost $100k in CPF savings this month after downloading app with malware

Android device users lost at least $99,800 in Central Provident Fund (CPF) savings this month after downloading an app containing malware, said police.

Victims would come across advertisements for groceries such as seafood via social media messaging platforms like Facebook.

They would contact the scammers via the social messaging platform such as WhatsApp and the scammers would send a URL to the victims.

The scammers would inform the victims to download an Android Package Kit (APK) file, an application created for Android’s operating system, found at the URL to order groceries and make payment.

Unknown to the victims, the application would contain malware that allowed scammers to access the victims’ devices remotely and steal passwords, including the Singpass passcode, stored in the device.

The scammer might also call the victim to ask for their Singpass passcode purportedly to create an account on the application.

Victims would be directed to fake bank application log-in sites to key in their banking credentials to make payment within the application. The malware with key-logging capabilities would then capture the credentials keyed by the victim in the fake banking sites and send them to the scammer.

The scammers would then access the victim’s CPF account remotely using the stolen Singpass passcode and request to withdraw the victims' CPF funds via PayNow.

Once the CPF funds are deposited into the victims’ bank accounts, the scammer will access the victims’ banking application and transfer the CPF funds away via PayNow.

The victims would only realise the scam when they discover unauthorised transactions made to their bank accounts.

The police have received at least two reports of such cases this month.

Last week, four men and four women, aged between 19 and 35, were arrested for their suspected involvement in the recent spate of banking-related malware incidents.