SINGAPORE — Among the recent spate of online scams involving huge losses, many seem to stem from the installation of malware through third-party applications meant for Android mobile devices.
In a media release issued over the weekend, the police said that they have received an increasing number of reports since January this year of “malware being used to compromise Android mobile devices”.
The recent types of such scams include:
- The purported sale of mooncakes through social media platforms in August, where users were led to malicious links when making payment for their “purchases”
- Messages from purported female subjects on TikTok and dating apps, requesting that users click on a malicious link to continue the engagement
- The circulation of a fake GST Voucher app, asking users to integrate the app with their bank accounts
In these scams, victims were often led to click on malicious online links.
Scammers may present such links to users through false advertisements on social media platforms, payment processes for online purchases, or in phone text messages, for example.
Through the links, victims are led either to phishing sites to give away personal data or to download harmful Android Package Kit (APK) files, used to distribute and install apps on Android mobile phones.
After downloading and installing the APK file, which includes granting accessibility and permissions to the third-party app, scammers would be able to access the victim’s device remotely.
This could allow them to steal victims’ passwords, while malware with keylogging capabilities means that scammers could retrieve the victims’ banking credentials.
Responding to TODAY’s query, the Cyber Security Agency of Singapore said that it was aware of an “uptick of online scams targeting Android users”.
“Android’s open nature allows for greater flexibility and customisation for developers and users, and they are the top mobile operating system globally, taking up about 70 per cent of the market share.
“With more users, the probability that Android phones will be targeted will be higher.”
That said, the agency added that cyber criminals are “opportunistic and will spread their net wide”. It said that it had also seen Apple’s iOS devices being targeted, with “two recent zero-day vulnerabilities, which were used to install spyware on a range of Apple products such as Macs, iPhones and iPads”.
TODAY spoke with Google and cybersecurity experts to understand why Android devices might be more susceptible to such scams, and what can be done to better protect Android users.
WHAT ARE ANDROID PACKAGE KITS?
An APK file is an application created for Android’s operating system. It is a file format used to distribute and install apps on Android mobile phones.
Using an APK file to download a third-party app to an Android device is commonly known as “sideloading”.
In April this year, the police and CSA issued a joint advisory against downloading apps from third-party or dubious sites.
Doing so may lead to the installation of malware in the device, which in turn may result in confidential and sensitive data such as banking credentials being stolen.
WHY ARE ANDROID DEVICES MORE OPEN TO SCAMS?
Mr Aman Dayal, head of regional trust and safety operations for Google Play Asia Pacific, said that Android was built as an “open-source mobile operating system”.
An open-source software refers to software with a source code that anyone can publicly access, inspect, modify and enhance.
“For closed platforms, ‘security’ sometimes means taking choices away from users and restricting what they can do with their devices.
“Our approach is different. We have developed layers of security to help protect users from potentially harmful apps, plus other risks like network exploitation and phishing, while also allowing users to take advantage of the benefits of openness,” he added.
Experts told TODAY that although this openness means less restrictions for users and their devices, the exposure to more risks is there.
Mr Kenny Yeo, director and head of Asia Pacific cybersecurity practice with consultancy firm Frost & Sullivan, said: “The (Android) operating system is licensed as open-source, which allows for the numerous different vendors to easily create their own Android-powered mobile devices.
“(But) this openness and ease of flexibility also unfortunately means that it can be potentially exploited by cyber criminals, by creating nefarious customisation and apps to trick users.”
Agreeing, Mr Ali Fazeli, a senior consultant at cybersecurity company Infinity Forensics, said that since Android is an open-source platform, users have more control on the phone itself and can choose to bypass certain security measures under the phone’s settings.
Android devices block the download of unknown apps by default, but if users disable this default setting, they can easily install “unknown” APK files that are not from the official Google Play Store.
Mr Ali said that users or developers do this to create apps for their private use, for instance, and may not want these personal apps to be hosted publicly on the official app store.
Having the APK option might also allow developers to bypass a specified period required to secure proper certification and onboard an app onto the official Google Play Store, he added.
Mr Terence Siau, general manager at the Centre for Strategic Cyberspace International Studies (CSCIS), said that users may also turn to third-party sites to download jailbroken apps.
WHAT SAFEGUARDS ARE THERE ON ANDROID DEVICES?
Mr Aman said that Google Play “builds protections” into its core operating system, and that it continually scans devices for malware and other harmful behaviour.
The Google Play Protect, a built-in tool on the Google Play Store, sends users a notification with options to remove, disable or uninstall a potentially harmful app, if found.
Outside of the Google Play Store, an alert is also displayed on users’ devices should they decide to download an app from an unknown source.
“Sideloading apps from an unvetted source can pose security risks to a user’s device,” Mr Aman said.
“Before users install an app from an unknown source, we remind the user to consider the risk. Then, if the users know and trust the developer, they can proceed.”
He added: “We scan more than 100 billion apps each day. Then we share our findings with the world. Because Android is open, a global community of security researchers is constantly critiquing our work.”
This allows Google to collectively improve its offerings along the way.
“We are also deepening our partnerships with government and cybersecurity agencies to identify and remove potentially harmful apps from Google Play in a timely manner, and are quick to identify and block messages on Android devices that are potentially linked to app-based spam, phishing, scams or malware,” Mr Aman said.
HOW MAY ANDROID USERS GUARD AGAINST SCAMS?
The cybersecurity experts interviewed by TODAY said that users of mobile devices are the main safeguard against such malicious apps.
Noting that the sideloading of apps is disabled by default and that alerts are also in place to warn users, Mr Yeo of Frost & Sullivan said that “device manufacturers are already putting measures in place”.
However, an unwitting user who may not truly understand the warnings may simply grant permission to an app to bypass the default setting.
“So, the most important measure possible is still the user action. The users must stop themselves from bypassing these measures,” Mr Yeo added.
As a rule of thumb, Mr Ali of Infinity Forensics said that users should download apps only from the official app store where possible. This is because the majority of these apps have already undergone a security audit.
Where an app might not be available on the official app store due to country or device limitations, users may choose to download the app from the developer’s official website.
Mr Siau of CSCIS said that users may also turn to security apps and software that perform basic, preventive checks to guard their devices.
A potentially harmful app may be almost impossible to spot because its malware is hidden, but users may take precautions to spot a fake app by checking against the app provider’s official website, and looking out for platform reviews or pictures, wordings and online links that may be out of the norm.
“If you look at flexibility and security, it is a tension on both sides of the spectrum,” Mr Yeo said.
“If you allow for more flexibility, it will be less secure; and vice versa.
“Both Android and iOS platforms are striving to provide a safe environment for users to enjoy their mobile devices, but we have to play our part (also) and be careful.”
TODAY has reached out to the police for more details on the scams related to Android devices and the losses so far.