In a recent development, six men, one woman, and three teenagers between the ages of 16 and 28, found themselves in hot water as they were apprehended for their alleged involvement in a string of banking-related malware scams.
The Arrests
The Commercial Affairs Department and Police Intelligence Department conducted extensive island-wide operations from August 28 to September 8, leading to the arrests of ten individuals.
Additionally, two men and two women, aged between 20 and 49, are currently assisting the police in the ongoing investigations.
The Modus Operandi
The suspects are believed to have played a pivotal role in facilitating the scam cases by providing their bank accounts, Internet banking credentials, and Singpass credentials in exchange for money.
Their activities came to the forefront due to a surge in reports of malware compromising Android devices since January 2023. This led to unauthorized transactions draining victims’ bank accounts.
The Trap Unveiled
Victims unwittingly fell into the trap by responding to enticing advertisements on popular social media platforms such as Facebook.
They were directed to download an Android Package Kit (APK) from unofficial app stores, as instructed by the scammers.
Once the APK was installed, victims were convinced to enable accessibility services on their phones. Little did they know that this seemingly innocuous action would be their undoing.
Exploiting Vulnerabilities
Enabling accessibility services weakened the security of the victims’ phones, providing scammers with the opportunity to seize control of the devices.
With this newfound access, they proceeded to steal banking credentials, gain entry to banking apps, add money mules to their operation, raise payment limits, transfer money, and meticulously delete notifications to cover their tracks.
Potential penalties
Persons found guilty of acquiring benefits from criminal conduct face a jail term of up to 10 years and/or a fine of up to $500,000.
Persons found guilty of deceiving banks into opening accounts not meant for personal use, and giving away their login details, face a jail term of up to 3 years and.or a fine.
Persons found guilty of disclosing their Singpass details face a jail term of up to 3 years and/or a fine of up to $10,000.