How scammers gain control of your phone: insights on malware

SINGAPORE: Junia Tan wanted something simple – a tasty fried chicken dinner with free delivery, just as advertised on Facebook.

However, what appeared to be a straightforward transaction took a dangerous turn when she was required to download an app for payment. This seemingly harmless action led to the installation of malware on her phone.

Malware is specifically engineered to infiltrate a device’s operating system, gaining unauthorized access.

Fortunately, Tan realised the scam just in time. After downloading the app, her Facebook application began to flicker, and her banking apps unexpectedly appeared on her screen.

“I’m like, OMG. And then it hit me. (The scammer) is controlling my phone remotely,” said Tan.

She swiftly powered down her phone and reached out to her banks for assistance, managing to avoid any monetary loss across her four accounts.

“It shocked me because I’m educated… I’d never think someone ‘young,’ smart like me, would fall for a chicken ad!” Tan admitted, expressing her astonishment.

The alarming reality is that authorities have observed a surge in the prevalence of malware scams that target Android smartphones.

Between January and August, the police reported more than 1,400 victims who collectively lost at least S$20.6 million. Individual losses were substantial, highlighting the severity of the issue.

Additionally, new malware apps are being generated at an alarming rate, with up to half a million emerging daily, as revealed in a two-part special by the program “Talking Point.”

Malware can infiltrate your smartphone through various means, such as clicking on a suspicious link or, as in Tan’s case, downloading an unfamiliar app.

Attackers plant malicious elements capable of eavesdropping or extracting sensitive information from your device, as explained by Verity Lim from NUS Greyhats, an information security interest group at the National University of Singapore.

For instance, a keylogger can monitor your keystrokes, potentially obtaining your username and password when you enter them into a banking application.

Some malware programs can even capture screenshots of your device.

“So whatever you’re doing on your phone … can actually be (seen), as long as it’s coded into the malware,” Lim cautioned.

Some apps are designed to appear friendly and non-threatening, such as the one examined by Talking Point. This particular app offered S$5 items like durian, mooncake, and seafood.

Users were prompted to select their bank and log in to their account at the payment stage. However, once users submitted their information, a loading sign appeared, which was when the scammer gained access to their username and password.

Shane Chiang, CEO of cybersecurity consultancy Momentum Z, described how users would often misinterpret the delay as a transaction problem and go about their business, unaware of the breach.

With malware granting scammers access to the phone, they could perform a factory reset on the device, delaying the discovery of the unauthorised transaction.

All known malware scams in Singapore have been linked to Android phones. This may be because Android smartphones are more prevalent than iPhones and therefore present an easier target, according to Shane Chiang.

What makes Android more susceptible is its allowance for sideloading, which means that third-party apps from sources outside official app stores like Google Play can be installed, explained Willis Lim, the director of the Cyber Security Agency of Singapore’s (CSA) National Cyber Threat Analysis Centre.

More from OMY: Singaporeans lack cybersecurity practices despite online threat awareness

“This is … in contrast to Apple’s ecosystem, which is a closed one (where) you can only strictly ever download apps from the official Apple store.”

When users download third-party apps on Android, they encounter an Android Package Kit (APK) file, a file format for all Android applications. The iPhone operating system (iOS) cannot open this file.

Google has always championed the concept of a community-based, open-source platform for Android.

“We don’t try to restrict users to … one single source of downloads or one single type of app that they can use,” said Lim Yihao, a lead threat intelligence adviser at Google’s subsidiary cybersecurity firm, Mandiant Intelligence.

“You can be vulnerable if you make the wrong choice or if you’re being tricked into downloading something that’s malicious. But we also give users more options (for) the kind of applications they want.”

To safeguard users, Google conducts app scans before permitting them in the app store.

Nonetheless, some scammers exploit a vulnerability in app updates.

Even seemingly harmless apps, like a flashlight app, may initially appear legitimate, only for threat actors to insert malicious functions when users update the app.

The sheer volume of apps on Google Play makes this a challenging problem.

“We have to play the game of catch-up,” Yihao said. “There’s no silver bullet, unfortunately. Of course, we do our best to … protect our users.”

Google has introduced Play Protect, a malware protection system that scans apps for malicious behavior both before and after they are downloaded from the Play Store.

In a recent update, Google announced plans to strengthen Play Protect with real-time code-level scanning when an app is being installed.

What’s more challenging to control are app downloads from sources other than the official store, as users sometimes grant access permissions due to social engineering, said Mandiant’s Lim.

“It looks (as if it reflects badly) on Android itself, but actually the (malicious) app (didn’t come) from Play Store. The users themselves clicked on it, downloaded it, accepted the permissions that it was (asking), without much review,” he added.

“It’s difficult for us as a company to say, ‘You can’t download all these applications.’ … It becomes a privacy issue — users will be like, ‘Hey, why are you trying to stop me from downloading my favourite application?’”

Although scammers continue to target Android users, the CSA’s Lim cautioned that there have been instances of malicious apps infiltrating Apple’s App Store.

Furthermore, Vu Ngoc Son, the technical director of the Vietnam National Cyber Security Technology Corporation, predicted that there would be an increase in attacks on iOS soon.

Vietnam is ranked among the top 10 cybercrime hotspots globally, primarily with attacks on Android devices. However, Son stated that, on a global scale, cyber attacks on iOS are escalating rapidly.

New attacks on iOS are expected to be more subtle, with zero-click attacks becoming more common through emails, phone calls, and text messages. These attacks enable scammers to seize control of the phone remotely without any user interaction, often infiltrating devices via emails, text messages, and phone calls.

“Hackers are now equipped with better skills and tools.”

Recently, Russian cybersecurity firm Kaspersky discovered a new zero-click hack that unleashes malware in iPhones when users receive an iMessage. Users did not even need to open the message to trigger the malware.

Two signs of malware infection include a slower device or a rapidly depleting battery, according to Bach Trong Duc, an executive manager at the Vietnamese cybersecurity company Bkav. These indicators suggest that your device is transmitting data.

Additional warning signs might involve apps requesting irrelevant permissions. For instance, if an app designed for tracking jogging time seeks access to your messages, this should raise a red flag, cautioned Duc.

Experts have provided several tips to guard against malware:

• Take warning signs seriously: Before downloading the malicious app for her chicken order, Tan encountered a pop-up warning on her phone. She regarded it as a “small red flag” but proceeded nonetheless. Mandiant’s Lim recommended exercising caution before clicking the download button, as phones notify users when they are about to download something from an untrustworthy source.
• Use the Play Protect scan function: Android users are encouraged to employ this function daily as a form of “cyber hygiene.”
• Exercise caution before downloading any app. If a seemingly popular app, like Google Maps, has an unusually low number of downloads, consider it a potential red flag indicating a masquerade attempt.
• Consider using two separate mobile devices. As recommended by Ong-Ang Ai Boon, director of the Association of Banks in Singapore, one device can be dedicated to banking activities, while the other can be used for social purposes. This strategy safeguards your banking data in case you accidentally download malware to the second device.
• Stay informed about the latest scam tactics. If you inadvertently introduce malware into your phone, the best course of action is to do a factory reset immediately.

More from OMY: New bill to target online content malicious cyber activity and content used in scams