HANOI: One hour. That is all the time it takes to build malicious software that can access the camera, messages, calls, storage, microphone, location, contacts — nearly everything — on a victim’s phone.
And cyber threat hunter Ngo Minh Hieu finds more than half a million of such malware apps created every day, in his work for Vietnam’s National Cyber Security Centre.
Vietnam saw a 64 per cent rise in online fraud in the first half of this year compared with the same period last year, according to the country’s Authority of Information Security.
A growing number of incidents in the last five years are related to malware, said Nguyen Quang Dong, the director of the Institute for Policy Studies and Media Development.
The flurry of fraudulent activity has landed Vietnam among the world’s top 10 cybercrime hotspots according to the Global Tech Council, the programme Talking Point found as it investigated who might be behind the malware scams that have emerged in Singapore this year.
FORMER SCAMMER BECOMES CYBER THREAT HUNTER
Between January and August, more than 1,400 victims in Singapore lost at least S$20.6 million in total, police said.
The perpetrators linked to malware scams have mostly played the role of money mules, said Ang Hua Huang, assistant superintendent at the newly operationalised anti-scam command centre run by the Singapore Police Force.
There have been teenagers arrested for suspected involvement.
WATCH: Who are the people behind malware scams? (21:58)
“These are people who relinquish their bank accounts or even sell their Singpass credentials over job offers on Telegram,” said Ang. This allows scammers to transfer money from the victim’s bank account to a local bank account.
“They’re facilitating the scam syndicates in laundering money overseas.”
The syndicates themselves are usually from neighbouring countries, Ang said.
Over in Vietnam, young people make up the majority of the malware scammers, said Dong, and they mostly operate as individuals.
“Young people here are good at technology. They’re tech-savvy. And some people self-study too. They learn about (hacking) skills,” he said.
Indeed, there is no shortage of tech-savvy individuals in Vietnam — computer science is compulsory in most public schools in Hanoi and Ho Chi Minh City, starting from third grade. When students reach high school, coding is compulsory in IT classes.
Today, Vietnam is known to have one of the best high-tech talent pools in Asia.
For those without technical experience, getting their hands on malware apps is as simple as shopping on e-commerce platform eBay, said Hieu. Scammers can use Telegram to subscribe to “malware as a service” or “phishing as a service”, which means for US$300 (S$410) to US$500, they can access the malware of their choice for a month.
There is new malware that can be invisible to antivirus software, said Vu Ngoc Son, technical director at the Vietnam National Cyber Security Technology Corporation. This could mean warning messages will not pop up before a user proceeds to download a piece of malware.
Related stories:
How can scammers control your phone? Here’s what you need to know about malware
Negligent banks, telcos may be held responsible for scam victims’ losses as part of proposed measures
There have also been “high-profile incidents” targeting politicians or certain journalists to steal information, Hieu said. “It costs a lot of money and time to invest or research into these vulnerabilities (on the phone).”
And it could affect Android, Windows or iOS. Anything could be possible with time, he warned. “The phone (security features will) never catch up 100 per cent with the rate of building malwares. Each day, I find more than half a million new malware.”
In Singapore, the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) proposed this week a way in which companies and consumers could share losses arising from scams.
If they are found to have breached their responsibilities, financial institutions and telecommunication companies (telcos) may have to compensate their customers who fall prey to scams.
These responsibilities may include failure by banks to send outgoing transaction alerts to consumers and failure by telcos to implement a scam filter for SMS messages. The framework will focus on phishing scams for a start.
Related articles:
Commentary: Singapore banks’ latest anti-scam measures may be inconvenient, but would you rather lose your life savings?
Google beefs up Android security to better detect malicious apps amid spike in malware scams
The framework does not include malware scams for now. They are relatively new, and with risk-mitigation measures still being rolled out, it would be “premature” to set out specific responsibilities for the different stakeholders, the MAS and IMDA said.
For example, major retail banks here have rolled out new anti-malware security updates and are looking to introduce a “money lock” feature, which would allow customers to set aside a certain amount in their accounts that cannot be digitally transferred out without strict authentication measures.
Watch the second episode of this Talking Point special here and the first part here. The programme airs on Channel 5 every Thursday at 9.30pm.