Singapore’s smartphones are under fire. Source: Wikimedia
The Association of Banks in Singapore (ABS) is warning smartphone users about a fake software update for WhatsApp that is targeting mobile-banking customers.
Malware hidden in the update had infected Android smartphones over the past few months, said ABS.
“Criminals have been targeting computer users. But now criminals have turned to targeting Android phone users … as banks are pushing out more banking apps for user convenience,” said director of ABS Ong-Ang Ai Boon.
After downloading the update, users are asked to enter confidential information such as their bankcard details.
At this point, the malware disables the smartphone and intercepts the one-time password (OTP) sent as a text message to the phone which enables it commit fraudulent transactions.
About 50 smartphone users in the city-state had been hit by the malware in the last three months, ABS reported.
It said the average amount lost by victims was around “a couple of hundred dollars” with some phone users losing several thousand dollars through multiple transactions.
The transactions appear linked to Eastern Europe and include budget airline ticket purchases.
One hacking attempt disguised itself as an operating system update for the battery management module or an update for the popular messaging application, WhatsApp.
In the latter, a pop-up window encouraged user to download an update for Whatsapp or risk losing access to the app.
After downloading the “update”, users were asked to input their bankcard details.
Once that was entered, the malware intercepted the OTP sent to the phone by text message.
“‘Jail-broken’ iPhones or rooted Androids are vulnerable … and in particular Android, because that phone system involves easier download of third-party apps,” said Ong-Ang Ai Boon.
Banks might refund their customers for such fraudulent transactions, largely depending on whether users had taken satisfactory steps to defend themselves against such attacks, ABS said.
Major banks had realised there was an increasing malware threat towards smartphones targeting monetary transactions, the association added.