ANN/THE STRAITS TIMES – She visited a bubble tea shop and saw a sticker pasted on its glass door, encouraging customers to do an online survey to get a free cup of milk tea.
Enticed by what seemed like a good deal, the 60-year-old scanned the QR code on the sticker and downloaded a third-party app onto her Android phone to complete the “survey”. That night, as she was sleeping, her mobile phone lit up.
Thanks to the app she downloaded, scammers could take over her device and moved SGD20,000 from her bank account. Worryingly, she is not the only victim.
In April, the police and the Cyber Security Agency of Singapore warned the public about downloading apps from dubious sites that can lead to malware being installed onto victims’ mobile phones.
They said such malware has resulted in confidential and sensitive data, including banking credentials, being stolen.
That month, the police also alerted the public to the resurgence of phishing scams involving malware installed on victims’ Android phones. The police had said that since March, there have been at least 113 victims who lost at least SGD445,000.
The bubble tea survey scam was related to The Sunday Times by head of anti-fraud at OCBC Bank’s group financial crime compliance department Beaver Chua last week.
“Pasting bogus QR codes outside food and beverage establishments is another cunning way to hook victims as consumers may not be able to differentiate between legitimate and malicious QR codes.”
Chua said that when the victim scans the QR code, he is prompted to download an app containing malware and is made to grant access to the phone’s microphone and camera.
He is also asked to enable Android Accessibility Service, an app intended to assist users with disabilities, which allows the scammer to view and control the victim’s screen.
The scammer waits for the victim to use his mobile banking app and notes his login credentials and password.
The scammer can also disable the facial recognition function, so the victim has to physically key in his details to log into his account, allowing the crook to record the information.
The scammer then accesses the camera to monitor the victim’s activity, waiting for the right moment to strike. At night, when the victim is sleeping, the scammer takes control of the phone through the malware.
He logs into the victim’s mobile banking app and transfers money out of his bank account.