Two 16-year-old boys among 18 arrested for roles in Android malware scams in latest police raids

Fourteen men and two women, aged between 17 and 47, and two 16-year-old male teenagers have been arrested for their suspected involvement in the recent spate of banking-related malware scam cases, said the police.

Another eight men and three women, aged between 17 and 55, and two 16-year-old female teenagers are assisting in the investigations after island-wide anti-scam enforcement operations conducted by officers from the Commercial Affairs Department and Police Intelligence Department between Sept 25 and Oct 6.

Preliminary investigations revealed that 11 men and two women, and the two male teens had allegedly facilitated the scam cases by relinquishing their bank accounts, Internet banking credentials or disclosing Singpass credentials for monetary gains.

A 45-year-old man is believed to have withdrawn money from a money mule’s bank account and handed the money to an unknown person.

Preliminary investigations also revealed that a 47-year-old man had allegedly received and withdrawn some criminal proceeds from his bank account and a 17-year-old male teen is believed to have assisted his friends to sell their bank accounts to an unknown person on Telegram.

Police investigations are ongoing.

Since January 2023, the police have received increasing number of reports of malware being used to compromise Android mobile devices, resulting in unauthorised transactions made from the victims’ bank accounts.

In these cases, the victims responded to advertisements on social media platforms like Facebook. They were then instructed by the scammers to download Android Package Kit from non-official app stores to facilitate the purchase, which led to malware being installed on their mobile devices.

Subsequently, the scammers convinced the victims via phone calls or text messages to turn on accessibility services on their Android phones.

This weakened the phones’ security, allowing scammers to take full control of the victims’ phones.

As a result, the scammers could log every keystroke, steal banking credentials stored on the phones, remotely access the victims’ banking apps, add money mules as payees, raise payment limits and transfer money to money mules.

The scammers can further delete SMSes and email notifications related to these bank transfers to cover their tracks.

The offence of acquiring benefits from criminal conduct carries an imprisonment of up to 10 years, a fine of up to $500,000, or both.

The offence of cheating carries an imprisonment term of up to three years, or with a fine, or both, while the offence under the Computer Misuse Act 1993 carries a fine of up to $5,000, or an imprisonment term of up to two years, or both.

For disclosing their Singpass credentials, they are liable to an imprisonment term not exceeding three years, a fine of up to $10,000, or both.