SINGAPORE: Twelve people – 11 men and one woman aged between 17 and 40 – were arrested in a two-week islandwide operation for their suspected involvement in a series of banking-related malware scams.

The operation, conducted by the Commercial Affairs Department and Police Intelligence Department between Oct 9 and 20, revealed that the suspects had purportedly facilitated the scams by surrendering their bank account and Internet banking details and Singpass credentials for monetary gains.

Since the start of 2023, the police have noted a surge in reports of Android mobile devices being compromised by malware, leading to unauthorised transactions from victims’ bank accounts.

The victims, who had not disclosed their Internet banking or Singpass details to anyone, were tricked into downloading malicious Android package kits from unofficial app stores after responding to social media advertisements for services and goods such as pet grooming and groceries.

The scammers would then persuade the victims through phone calls or text messages to activate accessibility services on their Android phones, weakening the devices’ security and allowing the scammers to take full control.

This enabled the scammers to log every keystroke, steal stored banking credentials, access victims’ banking apps remotely, raise payment limits, add money mules as payees, and transfer money.

The scammers also managed to delete SMS and e-mail notifications of the bank transactions to cover their tracks.

This recent wave of arrests comes in the wake of a spike in the number of malware scam victims in July and August, as reported by The Straits Times. The losses incurred during these two months were almost equivalent to the total losses in the first half of 2023.

The police have warned the public against downloading apps from third-party websites or unknown sources, as these unverified apps may contain malware that can severely compromise the security of mobile devices.

They also advised the public to be wary of requests for Singpass and banking credentials or money transfers, and to reject seemingly attractive money-making opportunities that promise fast and easy payouts for the use of their Singpass or bank accounts.

Investigations are ongoing.

Those who deceive banks into opening bank accounts not meant for personal use and relinquishing the accounts’ login details could be fined up to $5,000 or jailed for up to two years, or both.

Those guilty of disclosing Singpass credentials are liable for a jail term not exceeding three years, a fine of up to $10,000, or both. - The Straits Times/ANN