Victim Loses S$71K From Downloading Fake Google Play App

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,039
14 Apr 2023

After downloading a fake Google Play app on his phone, a 70-year-old man in Singapore lost close to S$71,000 in merely two hours.

Police investigations later found out that this was due to malware attached to the fake app.

Sharing his story, the victim hopes that this incident will be a good reminder for others to protect their personal information.

Lost almost all his life savings in just 2 hours​

Identifying himself as Mr Lu (not his real name), the 70-year-old man told Shin Min Daily News that he received a call from DBS at around 9am on 29 Jan.

The bank informed him that between 3am to 5am that morning, several transfers to foreign countries were made under his account. These transfers totalled around S$71,000.

Inclusive in this S$71,000 was also a S$30,000 pension he had received that month.

As a result of the transactions, Mr Lu had only S$2,000 left in his bank account. Shocked by the balance, he immediately asked the bank to freeze his account.

To make matters worse, the hackers allegedly charged S$6,000 to his credit card. Mr Lu has yet to repay the sum.

Malware attached to fake Google Play app led to hacking​

Following his discovery, Mr Lu promptly made a police report. He also handed his phone over to the police for investigation.

The police later discovered that a fake Google Play app Mr Lu had downloaded on his phone came with malware. The vulnerability apparently led to the theft of his personal information, including his bank account details.

Recounting what the police told him, Mr Lu explained to Shin Min Daily News that he couldn’t retrieve his money as it had been transferred to foreign accounts.

This issue caused both him and his wife to have several sleepless nights. After all, it only took two hours for him to lose his hard-earned money.


Hopes bank can help recover money​

Mr Lu highlighted that he did not reveal his one-time password (OTP) to anybody, nor did he click on any suspicious links.

He felt as though the bank’s security measures were not stringent enough, resulting in such lapses. He thus hopes that DBS can give him a proper explanation for what happened.

Shin Min Daily News also revealed that Mr Lu contacted the bank again in February, hoping that they could return his money back to him.

SPF warns public against downloading dubious apps​

On Tuesday (11 Apr), the Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) released a joint statement advising the public to be careful when downloading apps from dubious sites. This is because such apps can result in the installation of malware on users’ devices.

Such malware can purportedly cause “confidential and sensitive data, such as banking credentials” to be stolen by hackers.

SPF and CSA also provided steps for the public to identify dubious apps and protect their data.


1681447308390.png


OTP is not helping here. I believe all traffic already directed through the fake app.

Anybody thinks the use of a physical security key as 2FA would help here? If physical security key cannot help what is the best method to defeat it? Maybe don't download apps from 3rd-party stores, don't carry out online monetary transactions from phone etc
 
Last edited by a moderator:

billink

Level 1
Feb 8, 2023
5
I'm afraid the difference between the genuine and the fake app is really difficult for a man of this age to spot. Honestly, I cannot say that I would pay attention that "Store" is missing. Pure horror, that's what it is. Poor man...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top