SINGAPORE – At least two Android users have lost no less than $99,800 of their Central Provident Fund (CPF) savings in June, due to scams involving malware.
In a statement on Saturday, the police said that the victims had come across advertisements marketing groceries like seafood on social media platforms, including Facebook.
The victims then contacted the businesses through their social media platform or WhatsApp.
They were then sent a URL to download an Android Package Kit (APK) file, an application created for Android’s operating system, to order groceries and make a payment.
Apps or APK files from the Internet or a third-party could contain phishing malware.
APKs are installation files for Android apps that can be downloaded from the Internet and third-party app stores, instead of the Google Play Store.
The victims are unaware that the application contains malware that allow scammers to access the victims’ device remotely and steal passwords. This includes Singpass passcode, among other things, which have been stored in the victims’ device.
“The scammer might also call the victim to ask for their Singpass passcode, purportedly to create an account on the application,” said the police.
Victims were then directed to fake bank application login sites to key in their banking credentials to make payment within the app.
The malware with keylogging capabilities would then capture the credentials keyed by the victims in the fake banking sites and sent to the scammer.
The scammers were then able to access the victims’ CPF account remotely using the stolen Singpass passcode and requested to withdraw the victims’ CPF funds through PayNow.
Once the CPF funds are deposited into the victims’ bank accounts, the scammer accessed the victims’ banking application and transfer the CPF funds away via PayNow.
The victims would only realise the scam when they discover