Lured byseeminglylocally-basedonline ads, phishing spam or other clickbait, hordes of people in Singapore have been digitally robbed …

After a spate of numerous phishing scams amounting to losses of millions of dollars by individuals in Singapore, many banks in the country have introduced new security measures to ensure customers are less vulnerable to scams that exploit mobile phone security weaknesses.

The bank’s mobile apps have been updated to restrict customers from accessing digital banking services if apps present on a device are determined to be from unverified sources.

In view of data privacy and user rights protection, the banks have emphasized that the security updates do not monitor users’ phone activities or gather personal data: the goal is to enhance protection of customers from scammers who seek to breach victims’ mobile devices to gain complete control.

One way this has been achieved by scammers is to plant enticing phishing ads, and then convince interested buyers to download some spurious “payment app” before they can enjoy such a great promotion. Once downloaded and installed, such so-called payment apps have been used to gain access to, and wipe out, victims’ bank accounts.

A timely move by the banks?

According to Vivek Gullapalli, CISO (APAC), Check Point Software Technologies, his firm’s protection platform has recorded an average of 340 attacks on financial institutions in Singapore every week for the past six months. He observed: “While the general public tends to rely on the security provided by browsers, mobile devices, apps, and the banks themselves, there is a growing concern about the robustness of these underlying infrastructures. It is imperative that banking applications adopt a zero trust strategy to determine potential customer compromises and ensure their safety. Although some customers might express reservations due to privacy concerns, it is essential to prioritize the security and trust in the system to protect them from potential fraud.”

Gullapalli also noted that, with banking apps reminding users proactively about some detected vulnerability in the smart device before allowing any use of the service, “is crucial, especially in today’s digital landscape which now also integrates artificial intelligence elements.”

While some of the victims of such scams had been aware of prevailing too-good-to-be-true promotions — and had not provided personal and banking details on phone calls with the scammers — their eventual decision to download a mobile app of unknown origins recommended by the seller, had resulted in disaster. This method of installing mobile apps outside of official app stores (which have also missed their mark countless times in sniffing out malware before they get installed on trusting users’ smart devices) is called ‘side-loading’. On Android-based smart devices running updated system software, the ability of any mobile browser to side-load anything is disabled by default. Users have to specifically grant permission for any mobile browser to side-load the “apk” (Android Package Kit) files proffered by scammers to gain secret control of the smart device. When potential victims encounter warning prompts by the operating system, the scammers will have to convince them to grant the necessary permissions — a key turning point in the ruse. Once a malicious app is successfully installed, it will be able to bypass or reset other security settings to achieve its goals, without the victim’s intervention.

According to Ray Kelly, Fellow, Synopsys Software Integrity Group: “Side-loading apps is extremely risky. While it may feel liberating to the user to (be able to) install any app they want, many apps have skirted the Apple and Google review process and can contain malware and/or spyware, leaving users unaware that their data and information is open to the potential of being stolen.”

On iOS devices, users are usually only able to download and install stuff from the official App Store. However, due to regulations in Europe forcing Apple to allow alternative app stores to level the playing field for competition, scammers may eventually have a field day everyday in future, targeting iOS users.