Now scared to even open pdfs
Apparently my friend send me this about someone she knows.
The scammers have changed their modus operandi. They don’t ask you to download the app. My neighbour told me, yesterday, her sister (a cancer patient)wanted a part time helper to clean her house.
Hence, she went to Facebook. Called the number and made the request. The advertiser asked whether she had a Paynow and she said that she had.
He directed her to make the partial payment and he will send the invoice to confirm. (Note:He did not ask her to download an app as people are getting alert).
When she received the invoice on the PDF format, she did not suspect any foul play and clicked it. The invoice showed the amount paid and the balance to be paid. Thereafter, she went to sleep.
Next morning, her phone could not be switched on. She used her lap top to check her DBS bank account. Her $20K was gone, her 2 fixed deposits of $25K , which had not reached the maturity date was also gone. Total loss was $ 70K.
When she went to the bank and asked why her fixed deposit was also gone, the receptionist told her that digital banking allows you to transfer the amount back to your account to facilitate withdrawals without going to the bank.
Police told her the malware was embedded in the PDF document. So folks, beware that the scammers are always changing their modus operandi
Netizens’ comments
Fyi, you can use a different PDF reader like SumatraPDF on Windows to prevent embedded malware from running. For Android, you can use an alternative PDF reader like ReadEra or Foxit PDF Editor.
However, it is extremely unlikely that she really received a PDF file that has embedded malware. What most likely happened is that the user clicked a link on the PDF file thinking it will redirect to PayNow, but instead it directed the user to download and install an APK file. After installation, the app asked for their login details, which is game over by then. To be clear, after this, the attacker has login password + control of 2FA device, and can now login directly on iBanking website and bypassing any mobile app checks. This is why hardware tokens (or alternative solutions like physically going to ATM to authenticate large transfers) will solve the issue.
Embedded malware exploits the vulnerabilities in the PDF reader (usually Adobe PDF Reader) to escape the Android application sandbox and run malicious code. Using a different PDF reader solves the issue because the embedded code is usually targeted at popular apps like Adobe Acrobat. Since the exploit does not work when you use a different PDF reader, the embedded malware code will not run.
EDIT: Many YouTube channels were hacked by using such techniques on Windows via stealing the session token from Chrome browser. LinusTechTips is one of them. The PDF file was not actually a PDF file but an executable file with “.pdf.exe” and icon looks like the Adobe PDF icon. As of today (21 Oct 2023), I’ve never heard of such embedded malware PDF exploits on Android yet.