CNY goodies scam: Victims lose $167K from downloading malicious Android Package Kit

SINGAPORE: The Police have warned the public about an emerging variant of a malware scam where individuals downloaded Android files and lost thousands of dollars. At least five people have lost S$167,000 in this type of scam since September 2023.

“After downloading and installing the APK (Android Package Kit) file (which includes granting the app accessibility services), the victims would be instructed to key in their banking credentials to make full or partial payment for the items,” said the Police, adding, “Unknown to the victims, the scammers will be able to access the victim’s device remotely to steal banking credentials and passwords.”

The hook that drew in the victims were fraudulent advertisements of food items such as goodies for Chinese New Year posted on social media sites, including Facebook and Instagram, the Public Affairs Department of the Singapore Police Force said on Wednesday afternoon (Jan 17).

“Members of the public are advised to be wary of such fraudulent advertisements,” the police added.

Victims would see ads on Facebook or Instagram selling Chinese New Year goodies. When they click on the ad, they’re redirected to FB, IG and other messaging platforms, including WhatsApp, to coordinate with the “sellers” of such goodies.

They were then told to download an Android Package Kit (APK) through malicious links to order food items and buy goodies. APK is the file format used to distribute and install application software onto Android’s OS.

The victims would only learn about the scams after finding unauthorised transactions from their bank accounts.

The Police have said that for people who have already downloaded and installed the app, or for those who believe their devices are infected with malware, they can follow these steps:

1. Turn your phone to “flight mode”. Check that Wi-Fi is switched off and do not switch it on.
   
2. Run an anti-virus scan on your phone.
   
3. Check your bank account/Singpass/CPF, etc., for any unauthorised transaction(s) using another device(s).
4. If there are unauthorised transaction(s), report to the bank and relevant authorities and lodge a Police report.
5. After completing steps a-c, if you believe your phone has not been infected with malware, you may resume using your phone. As a further precaution, you may consider doing a “factory reset” of your phone and changing important passwords. 

As a precaution, the Police have asked the public to add the ScamShield App and security features.

Bank customers should also implement security features for their accounts, including setting up transaction limits for Internet banking transactions and enabling Two-Factor Authentication (2FA) and Multifactor Authentication for banks and e-wallets.

No one should ever give out personal or banking credentials, including Time Passwords (OTPs), to anyone.

Scams should also be reported immediately to the Police Hotline at 1800-255-0000 or via online submission at www.police.gov.sg/iwitness. /TISG

Read also: 219 scam victims lose S$446K via phishing in the first 2 weeks of 2024