Skip to main content
Best News Website or Mobile Service
WAN-IFRA Digital Media Awards Worldwide 2022
Best News Website or Mobile Service
Digital Media Awards Worldwide 2022
Hamburger Menu



CNA Insider

How can scammers control your phone? Here’s what you need to know about malware

Between January and August, at least S$20 million has been lost in malware scams in Singapore. The programme Talking Point explores the inner workings of this scam tactic — and why both Android and iPhone users should take heed.

SINGAPORE: All that Junia Tan wanted was a good deal: a fried chicken dinner with free delivery, as promised by the advertisement she saw on Facebook.

What was the catch? She eventually had to download an app to complete payment. Little did she know that she was about to install malicious software, or malware, on her phone.

Malware is designed to gain unauthorised access to a device’s operating system.

Luckily for Tan, she caught on to the scam just in time. After downloading the app, she noticed her Facebook app flickering. Then her banking apps flashed up on the screen.

“I’m like, OMG. And then it hit me. (The scammer) is controlling my phone remotely,” said Tan.

She managed to shut down her phone, then called one bank after another and even ran down to a branch to get help. In the end, she did not lose any money from her four accounts.

WATCH: A scammer hijacked my phone — How to tell if you’ve got malware and what to do (4:15)

“It shocked me because I’m educated. … I always (thought) maybe the older folks (would be scammed),” she said. “I’d never think someone ‘young’, smart like me, would fall for a chicken ad!

“It wasn’t a get-rich-(quick) scheme.”

The fact is the authorities are seeing an increase in the prevalence of malware scams affecting Android phones.

Between January and August, more than 1,400 victims lost at least S$20.6 million in total, police said. This means some individual losses could have been huge.

And there is no let-up in these scams. As many as half a million new malware apps are being generated daily, the programme Talking Point discovered in a two-part special — along with what you need to know to keep up.

The fried chicken advertisement that was a scam.


Malware can enter your phone if you click on a link or, as in Tan’s case, download a random app.

Attackers plant malicious features that can eavesdrop or extract information from your phone, said Verity Lim from NUS Greyhats, an information security interest group based in the National University of Singapore.

For example, a keylogger will monitor what you tap on your device’s keyboard, then it can extract your username and password as you enter them into, say, a banking app. Some malware programs can also capture screenshots of your phone.

“So whatever you’re doing on your phone … can actually be (seen), as long as it’s coded into the malware,” said Lim.

Verity Lim from NUS Greyhats with Talking Point host Steven Chia.

Some apps can be designed in a friendly, non-threatening manner, said Shane Chiang, chief executive officer of cybersecurity consultancy Momentum Z.

The app that Talking Point got hold of, for example, offered S$5 items such as durian, mooncake and seafood. On the payment page, users are prompted to choose their bank and log in to their account.

As the user presses enter, a loading sign appears. “What’s happening is that the scammer probably has access to your username and password right now. … He’s probably keying (them) in (on) the DBS Bank website,” said Chiang.

“This (loading sign) will just keep spinning, … you’ll think that something is wrong (with the transaction), you’ll turn (the phone) off, you’ll go about your (business).”

A set-up of the attacker’s phone (left) and the victim’s phone (right).

With malware that can give scammers access to the phone, they could force a factory reset on the device and delay the discovery of the unauthorised transaction.


To date, all the malware scams in Singapore have involved Android phones. This could be because they are more popular than iPhones and therefore “may be an easier target”, said Chiang.

What makes Android riskier is it allows sideloading, that is, third-party apps — from outside official app stores like Google Play — can be installed, said Willis Lim, the director of the Cyber Security Agency of Singapore’s (CSA)’s National Cyber Threat Analysis Centre.

“This is … in contrast to Apple’s ecosystem, which is a closed one (where) you can only strictly ever download apps from the official Apple store.”

WATCH: The full episode — How do scammers take over your phone and steal your money? (23:19)

When downloading third-party apps, users will see an Android Package Kit (APK) file, which is a file format for all Android apps. This file cannot be opened by the iPhone operating system (iOS).

A spokesperson for Google said a “community-based, open-source platform” has always been the concept behind Android.

“We don’t try to restrict users to … one single source of downloads or one single type of app that they can use,” said lead threat intelligence adviser Lim Yihao in Google’s subsidiary cybersecurity firm, Mandiant Intelligence.

“You can be vulnerable if you make the wrong choice or if you’re being tricked into downloading something that’s malicious. But we also give users more options (for) the kind of applications they want.”

The app that infected Tan’s phone.

To try to keep users safe, Google scans apps before they are allowed in its app store, he said. But some scammers have found a loophole: app updates.

Something as benign as a torchlight app can appear legitimate at first, he cited. But when the user updates the app, that is when threat actors can insert malicious functions. And there are “billions” of apps in Google Play.

“We have to play the game of catch-up,” he said. “There’s no silver bullet, unfortunately. Of course, we do our best to … protect our users.”

To this end, Google has a Play Protect malware protection system. Like antivirus software, it scans apps for malicious behaviour before they are downloaded from the Play Store.

It can also scan apps that are from other sources and have already been downloaded to the phone. This function is found in the phone’s Play Store app.

In an update this week, Google said it is strengthening Play Protect “with real-time scanning at the code level” when an app is about to be installed.

What is “more difficult” to control are app downloads outside the official store with users granting access permissions because they fell prey to “social engineering”, said Mandiant’s Lim.

“It looks (as if it reflects badly) on Android itself, but actually the (malicious) app (didn’t come) from Play Store. The users themselves clicked on it, downloaded it, accepted the permissions that it was (asking), without much review,” he added.

“It’s difficult for us as a company to say, ‘You can’t download all these applications.’ … It becomes a privacy issue — users will be like, ‘Hey, why are you trying to stop me from downloading my favourite application?’”

Always double-check the permissions you grant to an app.


Even as scammers continue to target Android users, Lim from the CSA warned that there have been “several well-known instances” of malicious apps slipping into Apple’s App Store.

And there will be “a lot more” attacks on iOS in the near future, said Vu Ngoc Son, the technical director of the Vietnam National Cyber Security Technology Corporation.

Vietnam is among the world’s top 10 cybercrime hotspots, according to the Global Tech Council. Like in Singapore, cyber attacks in Vietnam mostly take place on Android.

“(But) on a global scale, the number of cyber attacks on iOS is catching up to that of Android,” said Son. “It won’t take long because hackers are determined to steal money from victims.

“Hackers are now equipped with better skills and tools.”

Malware hackers have the tools to gain unauthorised access to your security details.

These attacks on iOS look to be more insidious. There are zero-click attacks, whereby victims do not need to click on any links, yet scammers would be able to attack and take over the phone remotely, cited Son.

Zero-click hacks enter devices via emails, text messages and phone calls. For example, even a missed WhatsApp call has been known to trigger a spyware injection.

More recently, Russian cybersecurity firm Kaspersky discovered a new zero-click hack unleashing malware in iPhones simply when users receive an iMessage. Users did not even need to open the message to trigger the spyware.


One telltale sign of malware infection can be a slow-running device or a fast-draining battery, said Bach Trong Duc, an executive manager in Vietnamese cybersecurity software company Bkav. These are signs that your device is transmitting data.

Chia finds out the various warning signs.

Other unusual signs would be apps asking for irrelevant permissions, for example when an app that logs your jogging time requests access to your messages, Duc added.

Experts offer these tips for ways to protect against malware:

??Take warning signs seriously.?Before Tan downloaded the malicious app to order fried chicken, there was a pop-up warning on her phone. She sensed a “small red flag” but did not think too much before proceeding.

“We normally do see (these warnings) on a website, and we go ahead still, and it’s fine,” she said.

But Mandiant’s Lim advised caution before clicking that download button. “On your phone, we’ll tell you if you’re about to download something that isn’t from … a trustworthy source,” he said.

??Use the Play Protect scan function.?Doing so daily is a good “cyber hygiene” practice for Android users, he said.

Google Play Protect's new security capabilities. (Image: Google)

??Do due diligence before downloading an app.?If what should be a popular app, such as Google Maps, has very few downloads, that should be a sign that it is a masquerade attempt.

??Have two mobile devices.?One of them could be dedicated to banking activities and the other to social activities, suggested Association of Banks in Singapore director Ong-Ang Ai Boon. If you accidentally download malware to the second phone, the malware will not have access to your banking data.

??Keep abreast of the latest scam tactics.?But if you inadvertently unleash malware in your phone, it is best to factory-reset your phone immediately.

Watch the first episode of this Talking Point special here. The programme airs on Channel 5 every Thursday at 9.30pm.

Source: CNA/dp


Also worth reading


bbm bbm777 bong bong marcus free bet welcome bonus online casino Baccarat Dragon Tiger Red VS Black Mercedes & BMW Bull Bull for 100 Birds & Beasts Boom Red Packet Big & Small Andar Bahar 7 Up Down Win Three Cards Banker Bull Bull Cards Checker Bull Bull Bull Bull Brawl Texas Hold'em Mahjong 2P Pineapple Poker Rummy Teenpatti Super Fruits Slot Water Margin Duo Bao Candy Party DuoFuDuoCai Fortune Gods Fishing Fishing Joy Rocket Crash Lucky Dice Double Dice Mines HiLo Circle Plinko Keno Dragon Fishing Dragon Fishing II Cai Shen Fishing Five Dragons Fishing Fishing YiLuFa Dragon Master Fishing Disco Lucky Dragons Flirting Scholar Tang Winning Mask Wukong The Llama Adventure Formosa Bear Lucky Qilin Lucky Lion Moonlight Treasure Coffeeholics New Year Napoleon Four Treasures Open Sesame Banana Saga Mahjong Olympian Temple Crystal Realm Burglar Dancing Papa Chef-Doeuvre Lucky Miner Candy Land Crazy Scientist Super Dumpling Cash Man Lucky Phoenix Dragon King Magic Show Beauty And The Kingdom Guan Gong Winning Mask II OpenSesameII Flirting Scholar Tang II FortuneHorse XiYangYang Classic Mario Happy New Year Birds and Animals Beer Tycoon Super Super Fruit Crazy King Kong Cai Shen Bingo GoldRoosterLottery HappyLottery Reward Dealer Cock Fight Maya Run Panda Panda Zelda Mr. Bao Billionaire One Punch Man Dragon Warrior Dragon Guardians of The Galaxy Street Fighter China Rouge Star Wars Kingsman War of Beauty Daji Gems Gems Curvy Magician Mining Upstart Lucky Racing Fa Da Cai LuckySeven OrientAnimals TripleKingKong BirdsParty GoLaiFu DragonsWorld SuperNiubi EgyptTreasure Fortune Treasure PirateTreasure Mjolnir TreasureBowl GoldenDisco FunkyKingKong SuperNiubiDeluxe MinerBabe Moneybags Man DoubleWilds PopPopFruity Spindrift DragonsGate JungleJungle Spindrift2 LuckyDiamond Kong RexBrothers NinjaX Wonder Elephant MarvelousIV LanternWealth MayaGoldCrazy War Of Empires BigThreeDragons Boom Fiesta Blossom of Wealth Star Line Glamorous Girl ProsperityTiger BBQ Burger Book of Mystery Fortune Neko Elemental Link Fire Elemental Link Water CooCoo Farm CAISHEN COMING FRUITY BONANZA Rooster In Love Monkey King Fire Bull Wealthy Fuwa Inca Empire Ninja Rush Chef Panda Sun Archer Legendary5 Mystery of Ninetails TongbiNiuNiu QiangZhuangLiuNiu TongbiLiuNiu Six Gacha JumpHigh RaveJump JumpHigher Jump High 2 LuckyBats FlyOut Good Fortune God of War Zeus DiscoNight Move n' Jump DiscoNight M jumping mobile FaCaiShen THOR RaveJump2 Wolf Disco Fire Queen Six Candy Good Fortune M ZhongKui Fa Cai Shen2 GuGuGu 5 God Beasts Fire Chibi 2 Snow Queen God of War M WaterWorld Chameleon SoSweet Flower Fortunes Flying Cai Shen Wheel Money Kronos Double Fly TreasureBowl Mr.Rich Gu Gu Gu 3 Zeus M Golden Eggs Fa Cai Shen M Super5 HappyRichYear Hephaestus Fa Cai Fu Wa Ne Zha Advent Fire Chibi Shou-Xin LuckyBats M Running Animals Wolf Moon OrientalBeauty Funny Alpaca 5 Boxing VampireKiss Apollo Fire Chibi M RaveJump2 M SkrSkr Diamond treasure Apsaras Dragon Heart YuanBao HotSpin TreasureHouse 777 Sky Lanterns The Beast War GreatLion FruitKingII 888 Thor 2 RedPhoenix Gold Stealer RunningToro Fire777 Ecstatic Circus All Wilds Meow Detective Dee2 Poseidon WonWonWon BigWolf Boots of Luck Fortune Spirits Lucky 3 LuckyFishing Paradise Oneshot Fishing Lord Ganesha Dragon’s Treasure Jungle Party Cricket Fever Fortune Dragon Alice Run Money Tree Thai HILO Da Hong Zhong Hanuman Bingo Aladdin's lamp Dollar Bomb King Kong Shake Ganesha Jr. Dragon Koi Hot DJ Coin Spinner Hero Fishing Greek Gods Thai Fish Prawn Crab Lucky Tigers Mr. Miser Mummy's Treasure The Chicken House Myeong-ryang 888 Cai Shen Night City Seotda Funky Bingo Treasure Pirate Baccarat Boat of Fortune Football Star Deluxe Ladies Nite 2 Turn Wild Rugby Star Deluxe A Dark Matter Long Mu Fortunes 9 Masks of Fire Break Away Lucky Wilds Lucky Twins Jackpot Ping Pong Star Zombie Hoard Win Sum Dim Sum Wild Scarabs Wild Orient Wicked Tales: Dark Red What A Hoot Wacky Panda Untamed - Giant Panda Treasures of Lion City Treasure Palace Tomb Raider Titans of the Sun - Theia Titans of the Sun - Hyperion Tiki Vikings Tiger's Eye