Blogs:

Why Scamming Never Stops

Chi Wai HUI, CISSP

 An Inside Look at Scams and Countermeasures 

 September 2023 – Mobile malware attacks are once again on the rise in Singapore, with Android users being the primary targets. These attacks typically begin with enticing advertisements spread across various social media platforms such as Facebook and Instagram. These ads lure victims in with attractive promotions, often related to food delivery and cleaning services. To avail of these offers, victims are directed to click on a link, which connects them to scammers via WhatsApp. The scammers then request the installation of a mobile app and a SGD 5 deposit to confirm the order. Unfortunately, the installation of this app grants the attackers control over the victim’s device, leading to potential bank account breaches. 

As a cybersecurity solutions consultant, I decided to delve deeper into the world of scammers by engaging with one myself. 

It all started with a Facebook advertisement for a home cleaning service. Clicking on the link led me to the scammer via WhatsApp. Assuming that English would suffice for communication, I initiated a conversation about the service, scheduling, and pricing. However, after providing an incomplete residential address, the scammer generated an invoice without realising the address didn’t make sense. He then insisted on the installation of a mobile app by sharing an APK file via WhatsApp. 

During our conversation, the scammer struggled to express himself in English and requested that we switch to Mandarin. The mobile app, named Sg Best V3.3, demanded full control over my phone. I became suspicious when I noticed a little red icon indicating that screencasting was in progress, allowing the attacker to view everything on my device. Upon launching the app, it displayed a cleaner company name different from the one claimed by the scammer. When I attempted to uninstall the app, I encountered difficulties due to administrator privileges. Eventually, I resorted to turning on Google Play Protect to detect and remove the malware. 

With the APK file in my possession, I conducted a static analysis, which revealed that the app could not run in an emulator, requiring a physical phone. If the phone were rooted, installation would be even easier. Surprisingly, there were no warnings from Google Play Protect. Using a simple tool, I discovered that the app had access to 15 dangerous permissions, including reading SMS, accessing location data, and recording audio. 

  1. Send SMS 
  2. Read SMS 
  3. Read Call Log 
  4. Read Contacts 
  5. Get Accounts 
  6. Camera 
  7. Record Audio 
  8. Access Coarse Location 
  9. Access Fine Location 
  10. Call Phone 
  11. Read External Storage 
  12. Write External Storage 
  13. Read Phone State 
  14. Read Calendar 
  15. 1Write Calendar 

Uploading the APK file to VirusTotal confirmed that it was a trojan horse designed to extract sensitive information from compromised devices. 

 

 

Note that the mobile app users are not the only ones affected by this scam. Legitimate cleaning service providers have also received numerous complaints about scams, resulting in many customers switching to other service providers. 

 

After investigating several fake advertisements, I noticed that some of them connected to the same WhatsApp account. Furthermore, the scammers recognised when the same person contacted them multiple times, even leaving scolding voice messages. It appears that these scammers are part of the same group, constantly evolving their tactics. 

Despite multiple reports of these attacks over the years, people continue to fall victim to scams. While educating the public about the dangers of scammers is essential, hardening mobile banking apps against attacks remains the most effective strategy. Enabling Multi-Factor Authentication (MFA) is a proven method to protect against account takeover. However, not all MFAs are equal. Authentication relies on three factors: what you know, what you have, and who you are. When attackers phish for information, they gain knowledge about what you know. Monitoring your device for one-time passwords (OTPs) gives them access to what you have. Among these factors, biometrics requires the most technical skills to compromise. 

Ultimately, achieving absolute resistance to cyberattacks remains a complex challenge. However, it’s important to note that mobile technologies capable of providing ultra-high-security solutions do exist. In addition to MFA, hardening banking apps to detect unauthorised access and respond to malware attacks effectively safeguards end users from financial loss. When combined with a comprehensive set of physical, technical, and administrative controls, they create a formidable defense against attackers seeking to compromise the system while enhancing the bank’s reputation for customer-first security.

 

Chi Wai Hui is a seasoned Mobile App Security Expert with extensive experience in the cybersecurity field. As a CISSP and ACLP Certified Trainer, he has over a decade of expertise in providing cutting-edge security solutions, conducting training and workshops, and advocating for the importance of App Identity, Device Identity, and User Identity. His impressive career includes roles at renowned organizations such as V-Key, IDEMIA, and Gemalto, where he has consistently demonstrated his commitment to mobile app security and authentication, making him a valuable asset in the industry. 

ABOUT V-KEY

 V-Key’s pioneering mobile technology powers ultra-high-security solutions for mobile identity, authentication, authorization, and payments for major banks, payment gateways, and government agencies. The V-OS Smart Token family is a versatile, highly secure second-factor authentication and authorization solution for mobile devices. They are a flexible and cost-effective alternative to traditional hardware Time Password (OTP) tokens and OTP-delivered SMS. Moreover, the V-OS Smart Token family offers a much more efficient authentication process than traditional methods, allowing for quick and secure authentication of customers. It is becoming increasingly important for banks as digital transactions grow. Additionally, V-OS Smart Token can be used to quickly confirm transactions, helping to reduce the risk of fraud and data theft.

Blogs
SMS MFA Vulnerabilities Unveil Massive Security Risks

Recent security incidents, including those involving leading technology firms, have underscored vulnerabilities within SMS-based authentication. These events have prompted organizations to reevaluate their security strategies. To effectively defend against cyber threats, it’s essential to understand the strengths and weaknesses of MFA – SMS approaches and explore how additional technologies like Push Notifications and Silent Network Authentication (SNA) can enhance overall security.

Blogs
From Traditional to Digital: A Bank’s Journey of Innovation

The convergence of technology and banking has catalyzed significant changes in the operations of banks and their interactions with customers. One prominent change is the emergence of fully digital banks, which are revolutionizing conventional banking practices and enhancing accessibility to banking services and new concepts.

Blogs
Implementing Cybersecurity Strategies to Counteract Scams during Lunar New Year

With Lunar New Year around the corner, experts have warned of an anticipated surge in scams due to the increased online shopping activities. We need to be aware of two major types of attacks.

Blogs
Strengthening Australia’s Digital Landscape: V-Key and Ignite Partners Join Forces

In a significant strategic development, V-Key, a leading provider of advanced mobile security solutions, has formed a powerful alliance with Ignite Partners, a highly respected consultancy firm known for its expertise in helping over 600 international companies successfully enter and expand their operations in Australia and New Zealand. As part of this collaboration, Ignite Partners has appointed two seasoned professionals, David Eccles and Ray Fleming, both with extensive experience in sales, management, and business development, to lead V-Key’s expansion into the Australian market. This announcement marks a pivotal moment for V-Key as it aims to secure Australia’s digital landscape and contribute to the nation’s growing digital economy. 

Blogs
Reinforcing Identity Protection Against Account Takeover

Account takeover occurs when unauthorised individuals gain control of a user’s online account, granting them access to personal information, sensitive data, and even the ability to perform malicious actions. By incorporating non-repudiation into their cybersecurity solutions, businesses can create a secure user environment and establish a foundation of trust.

Blogs
The Role of Mobile App Security in Crypto Wallets

Mobile devices are highly susceptible to various security threats, and without proper security measures, hackers can exploit these weaknesses to gain unauthorised access to your crypto wallet. Mobile app security helps protect your wallet from malicious apps attempting to steal sensitive information.

Blogs
Thailand’s Battle for Safer Mobile Apps

The financial losses and reputational damage caused by these fraudulent apps and malware have highlighted the urgent need for robust mobile app security measures. Businesses operating in Thailand must prioritise the integration of comprehensive security protocols to protect their customers and reputation.

Blogs
Revolutionising Universal Digital Identities with V-Key ID

V-Key ID utilizes V-OS, a secure operating system, to encrypt user identity data. This encrypted data can be safely stored in the cloud, ensuring enhanced portability without compromising data security. Users can access their identities seamlessly while maintaining data integrity.

Blogs
Safeguarding Financial Transactions with Smart Tokens

Smart tokens are essential to authenticate and authorise financial transactions. They make digital payment systems secure and reliable with multiple layers of protection. Smart tokens are cryptographically secured, meaning they cannot be easily replicated or hacked, and the data associated with each token is encrypted to ensure total privacy. Banks may employ smart tokens to construct a safe, dependable, cost-effective digital payment system to conduct transactions and store consumer data. Tokens may also be used to authenticate end users, making the authentication process safer and faster. It can help to protect against malicious attacks, as tokens cannot be tampered with. Smart tokens present a unique opportunity for the banking sector to revolutionize financial transactions by providing secure, reliable, and cost-effective digital payment solutions

Blogs
Ensuring Secure Cashless Transactions with V-OS Mobile App Protection

V-OS Mobile App Protection offers a comprehensive solution to address the security challenges faced by businesses and customers alike. With its innovative technology and multi-layered approach, V-OS Mobile App Protection safeguards mobile applications from various threats, including reverse engineering, tampering, and code injection. Built on V-Key’s patented V-OS Virtual Secure Element and Runtime Application Self-Protection technology, it ensures the integrity and confidentiality of critical functionality, even when the operating system and device is compromised. By adopting V-OS Mobile App Protection, businesses and customers can have peace of mind, knowing that their data is secure and protected from cyber threats, enabling a safer and more reliable digital payment experience.

Blogs
Protecting Mobile Apps and the Need for Cybersecurity Solutions

Mobile applications have transformed how Filipinos communicate, shop, finance, and do business in the Philippines. With a developing digital economy and ranking fifth globally in app downloads, the Philippines has seen an increase in mobile app adoption across various industries. According to a report by the Philippine National Police Anti-Cybercrime Group, cybercrime cases in the country increased by 80% in 2020 compared to the previous year, and according to Statista, the number of smartphone users in the Philippines is expected to reach 40.9 million by 2023, accounting for a significant portion of the country’s population.

Blogs
Building Trust in a Connected World: Discover the Power of V-OS App Identity

V-OS App Identity has numerous significant advantages that make it an essential solution for businesses looking to improve their Zero Trust Strategy. It removes the need for external authenticators by providing a self-contained secure element for every mobile app. This not only improves security but also improves the user experience.

Blogs
How V-OS Virtual Secure Element Bridges the Trust Gap and Protects Sensitive Data?

V-OS is a virtual operating system that is used on more than 200 million devices worldwide. It is designed to provide a secure environment for apps, servers, and other endpoints in a system so that sensitive data remains protected at all times. One of the key features of V-OS is its ability to provide a secure element bound to every app, which serves as proof of the app’s identity and integrity. 

Blogs
Secure Your Business with V-OS Biometric Identities – The Future of Mobile Authentication

The V-OS Biometrics is a unique smart biometrics solution that helps enterprises, governments, and API partners secure authentication and authorization mechanisms on mobile. It provides instant face biometric authentication that can be used to quickly authenticate users during onboarding or enable as a step-up function for high-risk transactions. By combining V-OS eKYC with V-OS Biometrics, the V-OS Biometric Identity Mobile SDK provides an out-of-the-box, streamlined identity verification and solution.

Blogs
V-OS Smart Token: The Future of Mobile Security

Security is a major concern for both individuals and corporations in today’s digital age. One of the most common methods used for two-factor authentication is the use of hardware OTP (One Time Password) tokens or OTP delivered via SMS.

SMS OTPs have been proven to be insecure, prone to interception and phishing attempts. Hardware tokens are expensive to deploy, can be lost or stolen, are inconvenient to use, and must be replaced on a regular basis.

Blogs
V-OS Mobile App Protection: The Mobile App Security that Powers Trusted Digital Services Globally

In today’s digital world, mobile devices have become an essential part of people’s everyday lives. They are used for communication, entertainment, employment, shopping, and a variety of other purposes. As people become more reliant on their mobile phones, the possibility of cyber-attacks and data breaches grows, and having a mobile app protection solution can keep our personal and sensitive information secure.