The Singapore Police Force (SPF) announced last week the arrest in neighboring Malaysia of two suspected Android malware scammers (pictured) who were transferred to their custody two days later. The men are believed to have operated servers that infected Android phones with malware that compromised the security of the devices, with the result that accomplices were able to gain control of the bank accounts of victims and drain them of money. There were 1,899 cases of malware-enabled crimes of this type recorded in Singapore during 2023, at a collective cost of SGD34.1mn (USD25.2mn) to victims.
The methods used by the criminals will be familiar to risk professionals who have paid attention to the convergence of telecoms and banking scams. To begin with, scammers fool unsuspecting members of the public into downloading malicious apps to their phones. These apps give the scammers remote access which allows them to further reconfigure the phone’s security settings. Ultimately, scammers can gain visibility of a victim’s messages, log passwords typed into the phone, overlay browser windows with phishing sites, and spy on victims through the phone’s camera and microphone. Compromised personal data is then used to take control of a victim’s bank account.
A 7-month investigation jointly run by the SPF, the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP) was able to identify the malware servers alleged to have been operated by the two men. They were arrested by the RMP on June 12. Meanwhile, HKPF took 52 malware-controlling servers offline and arrested 14 money mules working for the same criminal syndicate.
Information shared with the Taiwan Police also allowed them to shut down a scam customer service compound in Kaohsiung City, southern Taiwan, during May. The Taiwanese authorities seized assets collectively worth USD1.33mn during the raid, including real estate and cryptocurrency.
You can see the full press release from the Singapore Police here.



