News Summary: Police Advisory on Malware Scams affecting Android users

Summary: The police have released an advisory on the prevalence of malware scams affecting Android users in Singapore. 

 

The Singapore Police Force (SPF) has issued an advisory on the prevalence of malware scams that affect Android users in Singapore. Since February 2025, there have been 128 reported cases of malware scams, with total losses amounting to no less than S$2.4 million. These malware scams make use of phishing methods to deceive and scam victims too. 

 

Phishing scams are a growing threat in Singapore. According to the 2024 Annual Scams and Cybercrime Brief, there have been 8,552 phishing scams in Singapore, with total losses amounting to S$59.4 million. The impact of phishing fraud in Singapore is not small, and thus, it is crucial to know how to spot and avoid such scams. 

 

This guide explains how this malware scam affects Android use,rs as well as preventive tips on how to stay safe from malware scams in Singapore. 

How This Scam Works

 

In this scam variant, the scammers will list advertisements for various goods and services on Facebook or TikTok. Victims will come across these ads and contact the scammers through the provided contact details to express interest. The scammers will then contact the victims through WhatsApp and request a token sum as a membership fee payment or an upfront deposit. This will be made through a URL link.

 

However, after keying in their credit or debit card details or iBanking login credentials into the payment website, victims will encounter issues with their payment. In the name of resolving the payments, the scammers will then deceive victims into downloading a malicious application in the form of an Android Package Kit (APK) format, sent through WhatsApp. 

 

This malware allowed the scammers to remotely access victims’ devices to steal sensitive information such as SMS One-Time Passwords (OTPs). When the victims attempted to pay for the token sum again, the scammers would access the OTPs. With the victims’ credit or debit card details, as well as the OTPs, the scammers can perform unauthorised transactions with the victims' bank accounts, either from the victims’ mobile device or their own. 

 

In some cases, before downloading the malicious APK file, the scammers will guide victims to disable Google Play Protect from the Google Play Store. Google Play Protect helps protect against harmful downloads on Android phones. However, once Google Play Protect is disabled, victims will not receive notifications that malware has been installed on their phones.

 

Some scammers may also ask victims to download Virtual Private Network (VPN) apps from the Google Play Store to facilitate their connection to their Android device. This means that the scammers are able to bypass anti-malware measures on the victims’ phones and also remotely access their bank accounts with the phished login credentials. 

How to Stay Safe From Malware Scams

 

The SPF have encouraged Singaporeans to follow the ACT framework to stay safe from such malware scams and phishing scams. 

 

1. ADD 

 

Add the Scamshield app to block scam calls and SMSs. Download anti-virus applications on your phone and ensure that they are up to date. Visit the CSA website for the recommended list of anti-virus applications. 

 

For Android devices, enable Google Play Protect. Disable “Install Unknown App” or “Unknown Sources” in your phone settings and do not grant permission to any requests to access your device’s hardware or data. 

 

2. CHECK

 

Learn to check for scam signs with Scamshield or Scam.SG. Discover the different types of scams in Singapore. Call and check with Scamshield Helpline at 1799 if you are unsure. 

 

Check for suspicious messages, phone numbers and website links through the Scamshield website. Check for company trustworthiness with Scam.SG. Only download and install applications from the official Google Play Store. 

 

3. TELL 

 

Report the scam to the police. Tell your friends and family about the scam to help keep them safe. Report and block suspicious chat groups or accounts. If your bank account has been compromised, report it to your bank’s anti-scam hotline immediately. If there are no losses, report the scam to Scam.SG to help others learn from your experience. 

What to Do If You Have Downloaded A Malicious App

 

If you have already downloaded the malicious app or suspect that your phone is infected with malware, take the following steps. 

1. Turn your phone to flight mode. Check that Wi-Fi is switched off. 

2. Run an anti-virus scan on your phone. 

3. Using another device, check for unauthorised transactions from your bank account, SingPass, etc.

4. If there are unauthorised transactions, report them to the police, your bank or the relevant authorities. Take note not to do a factory reset before reporting to the police. 

5. After completing steps 1-3, if you believe that your phone is not infected with malware, you may resume usage of your phone. 

6. As a further precaution, consider doing a factory reset of your phone and changing important passwords. 

 

Check out what to do if you download a malicious app, if you require further information. For more information on other types of scams, visit www.scamshield.gov.sg or check the other articles on Scam.SG. 

What is a Phishing Scam?

 

Phishing scams in Singapore are fraudulent schemes that trick people into revealing sensitive information, such as banking credentials, through fraudulent emails, text messages or phone calls. Phishing scams are a growing threat in Singapore. As mentioned above, phishing scams contributed close to S$60 million in scam losses in 2024 alone. 

 

The scam variant above is a typical phishing scam, coupled with a malware scam. In the beginning, the scammers get victims to enter their banking credentials into a supposed payment website. This allows the scammers to get hold of the victims’ sensitive information, which is the first step of the scam. 

 

It is important to know what to do, to not fall prey to phishing scams. Here at Scam.SG, discover how to spot phishing scams by recognising their red flags. Learn prevention tips as well as what to do if you gave your personal information to a phishing scam. 

What is an E-Commerce Scam?

 

E-commerce scams are fraudulent schemes that happen on online shopping platforms. They get victims to pay for items that are fake, misrepresented or never arrive. According to the 2024 Annual Scams and Cybercrime Brief, there were 11,665 e-commerce scams in Singapore in 2024. Total losses amounted to S$17.5 million. 

 

The scam variant above is very similar to an e-commerce scam. Fraudulent advertisements of items will be around social media websites such as Facebook and TikTok. Users will be enticed by overly good deals or discounts that are often too good to be true. Scammers will then make use of this to phish sensitive information from victims by getting them to enter that information into spoofed websites. 

 

Learn how to spot and avoid e-commerce scams in Singapore with Scam.SG. Discover red flags and warning signs, as well as how to protect yourself when online shopping in Singapore. 

Source: https://www.police.gov.sg/media-room/news/20250417_police_advisory_on_the_prevalence_of_malware_scams_affecting_android_users