Victims lose $114k from their CPF after downloading Android app, 16-year-old among 9 people arrested

Seven men and a woman, aged between 20 and 28, as well as a 16-year-old were arrested for their suspected involvement in the recent spate of banking-related phishing scam cases involving malware attacks on Android mobile devices, said the police.

The arrests were made in an island-wide anti-scam enforcement operation conducted between June 19 and 23 by the Commercial Affairs Department and Police Intelligence Department.

Another two women and a man, aged between 27 and 57, are assisting in the investigations.

Case exhibits such as a mobile phone and several bank cards were seized, and close to 20 bank accounts were frozen with a sum of more than $54,000 seized.

Victims lost a total of more than $221,000, including more than $114,000 of money from their Central Provident Fund (CPF) accounts.

In these cases, the victims responded to advertisements for food items such as seafood and groceries on social media platforms like Facebook and were later instructed by the scammers to download mobile apps from third-party sites or via WhatsApp, leading to malware being installed on the victims’ mobile devices.

Unknown to the victims, the apps, which contained the malware, enabled the scammers to access the victims’ mobile devices remotely and steal Internet banking credentials, OTPs, Singpass credentials, and other personal information found in the devices.

With the stolen credentials, the scammers gained illegal access to the victims’ CPF accounts by accessing the victims’ Singpass app and bank accounts.

The scammers subsequently carried out unauthorised withdrawals from the victims’ CPF accounts to the victims’ bank accounts, before making further unauthorised transactions from the victims’ bank accounts to several money mules’ bank accounts.

The police have received several reports of this since late last month.

Five of the men arrested as well as the woman and the teenager had allegedly facilitated in the scam cases by relinquishing their bank accounts, Internet banking credentials and/or disclosing Singpass credentials for monetary gains.

The other two men are believed to have withdrawn money from some of the money mules’ bank accounts and handed the money to unknown persons.

Police investigations are ongoing.