Another 12 people arrested for roles in bank-related malware scams targeting Android phone users

A total of 11 men and one woman, aged between 17 and 40, were arrested for their suspected involvement in the recent spate of banking-related malware scam cases, following an island-wide anti-scam enforcement operation conducted between Oct 9 and 20.

Over the course of two weeks, officers from the Commercial Affairs Department and Police Intelligence Department mounted simultaneous island-wide operations and arrested the 12 people.

Preliminary investigations revealed that they had allegedly facilitated the scam cases by relinquishing their bank accounts, Internet banking credentials and/or disclosing Singpass credentials for monetary gains.

Police investigations are ongoing.

Since January, the police have received increasing number of reports of malware being used to compromise Android mobile devices, resulting in unauthorised transactions made from the victims’ bank accounts, even when they had not divulged their Internet banking credentials, one-time passwords (OTPs) or Singpass credentials to anyone.

In these cases, the victims responded to advertisements on social media platforms such as Facebook. They were then instructed by the scammers to download Android Package Kit (APK) from non-official app stores to facilitate the purchase, which led to malware being installed on their mobile devices.

Subsequently, the scammers convinced the victims via phone calls or text messages to turn on accessibility services on their Android phones. This weakened the phones’ security, allowing scammers to take full control of the victims’ phones.

As a result, the scammers could log every keystroke, steal banking credentials stored on the phones, remotely access victims’ banking apps, add money mules as payees, raise payment limits and transfer money to money mules. The scammers could further delete SMSes and email notifications of the bank transactions to cover their tracks.

The offence of acquiring benefits from criminal conduct carries an imprisonment of up to 10 years, a fine of up to $500,000, or both.

The offence of cheating carries an imprisonment term of up to three years, or with a fine, or both, while the offence under the Computer Misuse Act carries a fine of up to $5,000, or an imprisonment term of up to two years, or both.

For disclosing their Singpass credentials, they are liable to an imprisonment term not exceeding three years, a fine of up to $10,000, or both.