SINGAPORE: All that Junia Tan wanted was a good deal: a fried chicken dinner with free delivery, as promised by the advertisement she saw on Facebook.
What was the catch? She eventually had to download an app to complete payment. Little did she know that she was about to install malicious software, or malware, on her phone.
Malware is designed to gain unauthorised access to a device’s operating system.
Luckily for Tan, she caught on to the scam just in time. After downloading the app, she noticed her Facebook app flickering. Then her banking apps flashed up on the screen.
“I’m like, OMG. And then it hit me. (The scammer) is controlling my phone remotely,” said Tan.
She managed to shut down her phone, then called one bank after another and even ran down to a branch to get help. In the end, she did not lose any money from her four accounts.
“It shocked me because I’m educated. … I always (thought) maybe the older folks (would be scammed),” she said. “I’d never think someone ‘young’, smart like me, would fall for a chicken ad!
“It wasn’t a get-rich-(quick) scheme.”
The fact is the authorities are seeing an increase in the prevalence of malware scams affecting Android phones.
Between January and August, more than 1,400 victims lost at least S$20.6 million in total, police said. This means some individual losses could have been huge.
And there is no let-up in these scams. As many as half a million new malware apps are being generated daily, the programme Talking Point discovered in a two-part special — along with what you need to know to keep up.
WATCH: How do scammers take over your phone and steal your money? (23:19)
HOW MALWARE WORKS
Malware can enter your phone if you click on a link or, as in Tan’s case, download a random app.
Attackers plant malicious features that can eavesdrop or extract information from your phone, said Verity Lim from NUS Greyhats, an information security interest group based in the National University of Singapore.
For example, a keylogger will monitor what you tap on your device’s keyboard, then it can extract your username and password as you enter them into, say, a banking app. Some malware programs can also capture screenshots of your phone.
“So whatever you’re doing on your phone … can actually be (seen), as long as it’s coded into the malware,” said Lim.
With malware that can give scammers access to the phone, they could force a factory reset on the device and delay the discovery of the unauthorised transaction.
WHY ANDROID PHONES ARE VULNERABLE
To date, all the malware scams in Singapore have involved Android phones. This could be because they are more popular than iPhones and therefore “may be an easier target”, said Chiang.
What makes Android riskier is it allows sideloading, that is, third-party apps — from outside official app stores like Google Play — can be installed, said Willis Lim, the director of the Cyber Security Agency of Singapore’s (CSA)’s National Cyber Threat Analysis Centre.
“This is … in contrast to Apple’s ecosystem, which is a closed one (where) you can only strictly ever download apps from the official Apple store.”
When downloading third-party apps, users will see an Android Package Kit (APK) file, which is a file format for all Android apps. This file cannot be opened by the iPhone operating system (iOS).
A spokesperson for Google said a “community-based, open-source platform” has always been the concept behind Android.
“We don’t try to restrict users to … one single source of downloads or one single type of app that they can use,” said lead threat intelligence adviser Lim Yihao in Google’s subsidiary cybersecurity firm, Mandiant Intelligence.
“You can be vulnerable if you make the wrong choice or if you’re being tricked into downloading something that’s malicious. But we also give users more options (for) the kind of applications they want.”
THE NEXT WAVE, BEYOND ANDROID
Even as scammers continue to target Android users, Lim from the CSA warned that there have been “several well-known instances” of malicious apps slipping into Apple’s App Store.
And there will be “a lot more” attacks on iOS in the near future, said Vu Ngoc Son, the technical director of the Vietnam National Cyber Security Technology Corporation.
Vietnam is among the world’s top 10 cybercrime hotspots, according to the Global Tech Council. Like in Singapore, cyber attacks in Vietnam mostly take place on Android.
“(But) on a global scale, the number of cyber attacks on iOS is catching up to that of Android,” said Son. “It won’t take long because hackers are determined to steal money from victims.
“Hackers are now equipped with better skills and tools.”
Other unusual signs would be apps asking for irrelevant permissions, for example when an app that logs your jogging time requests access to your messages, Duc added.
Experts offer these tips for ways to protect against malware:
• Take warning signs seriously. Before Tan downloaded the malicious app to order fried chicken, there was a pop-up warning on her phone. She sensed a “small red flag” but did not think too much before proceeding.
“We normally do see (these warnings) on a website, and we go ahead still, and it’s fine,” she said.
But Mandiant’s Lim advised caution before clicking that download button. “On your phone, we’ll tell you if you’re about to download something that isn’t from … a trustworthy source,” he said.
• Use the Play Protect scan function. Doing so daily is a good “cyber hygiene” practice for Android users, he said.