Online scams can occur very easily to anyone, despite continuous enforcement of cyber security. One slight slip-up may cause huge losses of money, with some happening under our noses and it will be too late to recover anything. Therefore, it is important to be informed of all possible threats you may face online.
M’sian software developer, Ah Hong VS shared on Facebook how hackers can swindle money using apps downloaded from untrustworthy sources. The post has since gathered 8.8k likes and 31k shares due to its helpful information. In speaking with Wau Post, Hong said that he has been in this industry for 7 years and he shared this in hopes of enlightening people about the potential risk of online scams.
Online scams through apps downloaded from untrustworthy sites
Hong first explained how Android apps would normally transfer money out of bank accounts. He said that social media apps such as Facebook and Instagram usually offer special discounts, and users will need to download another app to complete the transaction.
Users who frequently download games or apps which cannot be installed from Google Play Store are prone to this scheme. This is because they may have enabled permission to Android Application Package (APK) files from untrustworthy websites.
“This setting prevents users from installing malware, but after it has been enabled, it is very easy to install compromised apps into your phone,” he wrote.
Hong further explained that after you have downloaded an APK file, you may be required to verify your phone number in order to register for an account by using an SMS verification code. To do so, you must enable the app permission to access your SMS or it will not proceed.
“By authorising the permission, the app can now read and delete all of your SMSes,” Hong wrote in his post.
When you have downloaded the app via Facebook or Instagram and you wish to pay for your items, Hong implied that the payment gateway is all fake. The interface users normally see when they are completing a transaction which includes the options of credit card, FPX or other online banking payments are forged.
“No matter what you choose, it will always show that it is under maintenance, and then ‘please try again with another bank/card’. Then, some people will still try again by using another account or another payment method to pay.”
Their customer service will also act benignly by sending messages stating that their system is being upgraded and to try again later. During this time, users have given their bank account username and password to hackers.
Hackers gain control of SMS to ensure no OTP sent
According to Hong, these scammers will proceed by deliberately running their app in your phone’s background by sending you an SMS. This allows their system to continue to connect to your phone.
“If you have received such SMSes, immediately erase your background apps, and check again if your apps are from official sources.”
After making sure that they can read your SMSes, these scammers will make their moves by logging into your bank account and change your registered phone number. Once they have received the One-time Password (OTP) to switch the number, there is no more need for any more incoming OTP to wire money out of your savings account.
Victims will then wonder why they have not received any OTPs for these transactions. Hong then reminded the readers that because the scammers have full permission to their SMS access, they can read and delete them immediately without a trace.
“In fact, they only need to read your OTP message once to change your registered phone number, and then they can already get away with anything.”
How to prevent this?
Hong has suggested some methods to prevent this from happening.
- Be cautious when it comes to downloading APK files from unknown sources. Do not enable the “Allow install from unknown resources” setting.
- If you must install these kinds of APK files, turn it off at once after installing.
- Check your app list at all times and remove those you do not use.
- Recognize the security photo of your online banking accounts. If it does not appear, it means that the e-banking portal is fake.
- Check which apps have been authorised permission to access SMS, and only enable this setting to trustworthy apps.
- Only install apps from Google Play. Do not download apps from unknown sites.
He continued to inform readers that times have changed, and mugging has evolved into online scamming. Therefore, it is important to learn about these preventive measures when it comes to online transactions.