(Singapore 19 May 2023) Singaporean police are warning of recent phishing scams that involve the download of fake ScamShield apps.

They encourage locals to download apps from reliable sources like app stores because legitimate apps generally do not allow downloading outside of the Google Play or Apple App stores. 

“Members of the public are advised not to download any suspicious app on their devices as they may contain phishing malware which allows the scammers to take control of the victim’s devices,” the Police said in a statement.

During a most recent scam variant, members of the public would come across advertisements for the sale of food items via social media messaging platforms like Facebook on their Android mobile devices. 

Victims would contact the scammers via WhatsApp and the scammers would send a uniform resource locator (URL) to the victims. The scammers would inform the victims to download the application found at the URL in order to purchase the food items and to make payment. Unauthorized transactions would be made from the victim’s bank accounts or credit cards.

Images of the conversation between the victim and the “bank staff” whereby the victim was asked to download the fake ScamShield App. Source: Singapore Police

Shortly after making these unauthorized transactions, the scammers would contact the victim and introduce themselves as bank staff who are following up on the fraudulent transactions. The scammer would then recommend the victim to download the ScamShield App using a URL link, fraudulently bearing the ScamShield logo, on the pretext of getting the victim to safeguard himself against scams and to make a report in the ScamShield App. Scammers would insist that the URL link provided is legitimate and would inform victims not to download the ScamShield App from the official Google Play Store.

“Scammers will trick victims into installing malware-infected applications that are outside the app store,” the Police said. 

Several cybersecurity experts have commented on the dangers of bad apps and how to protect oneself against them.

Lim Yihao, a threat intelligence adviser with Mandiant Intelligence, which is under Google Cloud’s business, told local media that scammers leverage social engineering methods in many cases.

“(They do this by) masquerading as bank officers or law enforcement units to persuade victims to download applications from third-party sites, which are also masquerading as legitimate sites from which to download these applications,” he said as quoted by Today.

He also said some fake apps pretend to be an Android update or a security update, and victims downloading these files get a malware-infected file on their mobile phones instead.