QuickCheck: Are crooks using a cleaning services app to wipe victims’ bank accounts?
Scammers empty the bank accounts of unfortunate victims who are simply looking for help cleaning their homes.
Is it true?
A recent exclusive from The Star shows that scammers gain access to victims’ bank accounts through a combination of social engineering and malware.
Victims who search for part-time cleaners online are tricked into downloading an app that acts as a Trojan to steal their bank details.
The Star found a few web pages offering “discounts on cleaning services” that turned out to be nothing more than a front for scammers.
Victims who contact “service providers” after coming across online sites receive a link with a request to install an Android package (APK) application.
APKs are files used by Android operating systems and other Android-based operating systems (such as Huawei’s HarmonyOS) for the distribution and installation of mobile applications and games.
After downloading the APK, the victim basically installed a Trojan on their device which allows crooks to access certain applications such as SMS service.
This allows scammers to obtain a Transaction Authorization Code (TAC) and other information when users pay for reservations through the app, to siphon money from victims’ bank accounts.
Fake ads are also being shown on social media, one victim found.
Muhammad Nor Izzudin Hamzah, 32, told The Star he lost nearly RM19,000 on April 23.
“I saw an advertisement on Facebook. My mistake was to install the APK and its application. I did not know that my username and password had been stolen when I made a reservation.
“The scammer’s site looked exactly like the bank’s website I used. The APK and app I installed contained malware that allowed them to access my TAC messages.
“I didn’t realize what had happened until I got a notification from my bank,” the insurance agent said.
Police are aware of these scams and even warned the public in February that crime syndicates were using popular messaging service WhatsApp to target unsuspecting people.
According to the Director of the Federal Commercial Crimes Investigation Department (CCID), Comm Datuk Mohd Kamarudin Md Din, the scammers used the same tactic to trick victims into downloading malware onto their devices.
“The app will then take over the buyer’s existing SMS system, and the buyer will need to register and fill in their personal and bank details before they can use the app.
“After pressing the ‘Submit’ button, an error message will be displayed because the application is not linked to any legitimate banking site,” he said at a press conference on February 10. .
“With enough information, scammers can transfer money from the buyer’s account without their knowledge,” he added.
There are a number of things you can do to protect yourself (and your bank account) from sinister scammers and their nasty malware.
From reports so far, scammers are targeting Android-based phones, as iOS devices do not use APKs and iPhone users can only install apps from the Apple Store.
For Android users, do not download apps from anywhere other than the Google Play Store and make sure the “unknown sources” setting for app downloads is disabled on your phone.
It will be disabled by default so crooks will try to convince you to enable it, but don’t listen to them.
Reputable companies that use apps as part of their services would distribute their app through legitimate channels i.e. Play Store.
Don’t ignore the pop-up asking you to update your device’s operating system, updating your phone is the best way to get the latest patches and security patches.
Beware of social engineering scams. They will send fake text messages intended to collect personal data and email malicious links and attachments in the hope that they can gain access to your bank account.
Speaking of bank accounts, cybercriminals are very good at spoofing banking apps and websites, so make sure the app or site you’re entering your username and password into is from your bank.
Finally, treat all communications from unknown sources as suspicious. If that sounds fishy, it most likely is.