How can scammers control your phone? Here’s what you need to know about malware
Between January and August, at least S$20 million has been lost in malware scams in Singapore. The programme Talking Point explores the inner workings of this scam tactic — and why both Android and iPhone users should take heed.
SINGAPORE: All that Junia Tan wanted was a good deal: a fried chicken dinner with free delivery, as promised by the advertisement she saw on Facebook.
What was the catch? She eventually had to download an app to complete payment. Little did she know that she was about to install malicious software, or malware, on her phone.
Malware is designed to gain unauthorised access to a device’s operating system.
Luckily for Tan, she caught on to the scam just in time. After downloading the app, she noticed her Facebook app flickering. Then her banking apps flashed up on the screen.
“I’m like, OMG. And then it hit me. (The scammer) is controlling my phone remotely,” said Tan.
She managed to shut down her phone, then called one bank after another and even ran down to a branch to get help. In the end, she did not lose any money from her four accounts.
WATCH: A scammer hijacked my phone — How to tell if you’ve got malware and what to do (4:15)
“It shocked me because I’m educated. … I always (thought) maybe the older folks (would be scammed),” she said. “I’d never think someone ‘young’, smart like me, would fall for a chicken ad!
“It wasn’t a get-rich-(quick) scheme.”
The fact is the authorities are seeing an increase in the prevalence of malware scams affecting Android phones.
Between January and August, more than 1,400 victims lost at least S$20.6 million in total, police said. This means some individual losses could have been huge.
And there is no let-up in these scams. As many as half a million new malware apps are being generated daily, the programme Talking Point discovered in a two-part special — along with what you need to know to keep up.
HOW MALWARE WORKS
Malware can enter your phone if you click on a link or, as in Tan’s case, download a random app.
Attackers plant malicious features that can eavesdrop or extract information from your phone, said Verity Lim from NUS Greyhats, an information security interest group based in the National University of Singapore.
For example, a keylogger will monitor what you tap on your device’s keyboard, then it can extract your username and password as you enter them into, say, a banking app. Some malware programs can also capture screenshots of your phone.
“So whatever you’re doing on your phone … can actually be (seen), as long as it’s coded into the malware,” said Lim.
Some apps can be designed in a friendly, non-threatening manner, said Shane Chiang, chief executive officer of cybersecurity consultancy Momentum Z.
The app that Talking Point got hold of, for example, offered S$5 items such as durian, mooncake and seafood. On the payment page, users are prompted to choose their bank and log in to their account.
As the user presses enter, a loading sign appears. “What’s happening is that the scammer probably has access to your username and password right now. … He’s probably keying (them) in (on) the DBS Bank website,” said Chiang.
“This (loading sign) will just keep spinning, … you’ll think that something is wrong (with the transaction), you’ll turn (the phone) off, you’ll go about your (business).”
With malware that can give scammers access to the phone, they could force a factory reset on the device and delay the discovery of the unauthorised transaction.
WHY ANDROID PHONES ARE VULNERABLE
To date, all the malware scams in Singapore have involved Android phones. This could be because they are more popular than iPhones and therefore “may be an easier target”, said Chiang.
What makes Android riskier is it allows sideloading, that is, third-party apps — from outside official app stores like Google Play — can be installed, said Willis Lim, the director of the Cyber Security Agency of Singapore’s (CSA)’s National Cyber Threat Analysis Centre.
“This is … in contrast to Apple’s ecosystem, which is a closed one (where) you can only strictly ever download apps from the official Apple store.”
WATCH: The full episode — How do scammers take over your phone and steal your money? (23:19)
When downloading third-party apps, users will see an Android Package Kit (APK) file, which is a file format for all Android apps. This file cannot be opened by the iPhone operating system (iOS).
A spokesperson for Google said a “community-based, open-source platform” has always been the concept behind Android.
“We don’t try to restrict users to … one single source of downloads or one single type of app that they can use,” said lead threat intelligence adviser Lim Yihao in Google’s subsidiary cybersecurity firm, Mandiant Intelligence.
“You can be vulnerable if you make the wrong choice or if you’re being tricked into downloading something that’s malicious. But we also give users more options (for) the kind of applications they want.”
To try to keep users safe, Google scans apps before they are allowed in its app store, he said. But some scammers have found a loophole: app updates.
Something as benign as a torchlight app can appear legitimate at first, he cited. But when the user updates the app, that is when threat actors can insert malicious functions. And there are “billions” of apps in Google Play.
“We have to play the game of catch-up,” he said. “There’s no silver bullet, unfortunately. Of course, we do our best to … protect our users.”
To this end, Google has a Play Protect malware protection system. Like antivirus software, it scans apps for malicious behaviour before they are downloaded from the Play Store.
It can also scan apps that are from other sources and have already been downloaded to the phone. This function is found in the phone’s Play Store app.
In an update this week, Google said it is strengthening Play Protect “with real-time scanning at the code level” when an app is about to be installed.
What is “more difficult” to control are app downloads outside the official store with users granting access permissions because they fell prey to “social engineering”, said Mandiant’s Lim.
“It looks (as if it reflects badly) on Android itself, but actually the (malicious) app (didn’t come) from Play Store. The users themselves clicked on it, downloaded it, accepted the permissions that it was (asking), without much review,” he added.
“It’s difficult for us as a company to say, ‘You can’t download all these applications.’ … It becomes a privacy issue — users will be like, ‘Hey, why are you trying to stop me from downloading my favourite application?’”
THE NEXT WAVE, BEYOND ANDROID
Even as scammers continue to target Android users, Lim from the CSA warned that there have been “several well-known instances” of malicious apps slipping into Apple’s App Store.
And there will be “a lot more” attacks on iOS in the near future, said Vu Ngoc Son, the technical director of the Vietnam National Cyber Security Technology Corporation.
Vietnam is among the world’s top 10 cybercrime hotspots, according to the Global Tech Council. Like in Singapore, cyber attacks in Vietnam mostly take place on Android.
“(But) on a global scale, the number of cyber attacks on iOS is catching up to that of Android,” said Son. “It won’t take long because hackers are determined to steal money from victims.
“Hackers are now equipped with better skills and tools.”
These attacks on iOS look to be more insidious. There are zero-click attacks, whereby victims do not need to click on any links, yet scammers would be able to attack and take over the phone remotely, cited Son.
Zero-click hacks enter devices via emails, text messages and phone calls. For example, even a missed WhatsApp call has been known to trigger a spyware injection.
More recently, Russian cybersecurity firm Kaspersky discovered a new zero-click hack unleashing malware in iPhones simply when users receive an iMessage. Users did not even need to open the message to trigger the spyware.
HOW YOU CAN PROTECT YOURSELF
One telltale sign of malware infection can be a slow-running device or a fast-draining battery, said Bach Trong Duc, an executive manager in Vietnamese cybersecurity software company Bkav. These are signs that your device is transmitting data.
Other unusual signs would be apps asking for irrelevant permissions, for example when an app that logs your jogging time requests access to your messages, Duc added.
Experts offer these tips for ways to protect against malware:
??Take warning signs seriously.?Before Tan downloaded the malicious app to order fried chicken, there was a pop-up warning on her phone. She sensed a “small red flag” but did not think too much before proceeding.
“We normally do see (these warnings) on a website, and we go ahead still, and it’s fine,” she said.
But Mandiant’s Lim advised caution before clicking that download button. “On your phone, we’ll tell you if you’re about to download something that isn’t from … a trustworthy source,” he said.
??Use the Play Protect scan function.?Doing so daily is a good “cyber hygiene” practice for Android users, he said.
??Do due diligence before downloading an app.?If what should be a popular app, such as Google Maps, has very few downloads, that should be a sign that it is a masquerade attempt.
??Have two mobile devices.?One of them could be dedicated to banking activities and the other to social activities, suggested Association of Banks in Singapore director Ong-Ang Ai Boon. If you accidentally download malware to the second phone, the malware will not have access to your banking data.
??Keep abreast of the latest scam tactics.?But if you inadvertently unleash malware in your phone, it is best to factory-reset your phone immediately.
Watch the first episode of this Talking Point special here. The programme airs on Channel 5 every Thursday at 9.30pm.