Latest Phishing Scam Hides Within An App And Is Disturbingly Sophisticated
A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated phishing scam. Describing the series of events on his Facebook page, Smith Ang detailed how a Facebook ad for professional cleaning services led to him temporarily losing access to his online banking account and almost losing almost RM5,000.
The operation is surprisingly elaborate, involving creating a Facebook page offering professional cleaning services, and paying for ads on Facebook to lure unsuspecting victims. After all, professional cleaning services are quite common these days, with booking and payment usually done online.
A lot of effort went into making it seem legit
To add legitimacy, the scammers try to mimic an existing professional cleaning service called Maid4u – but the Facebook ad is run by a page called “Magic Maid Cleaning”. Maid4u’s website lists some corporate clients, complimentary sanitisation services, support for credit card payments, but its services are only available in Cyberjaya. Crucially, it also does not have an app (though according to the website, it will be available soon) and its WhatsApp chat button leads to a different phone number to the scammers.
The Facebook ad includes a WhatsApp chat button, where the scammer will share a 50% discount promo for new users who book via their app. However, the link to the app download isn’t to the Google Play Store or Apple App Store, but instead is an APK file – an Android app installer package – that isn’t vetted by Google (since it isn’t submitted to be available in the Google Play Store). Conveniently, this app requires permission to read SMS messages (sometimes necessary for legitimate apps, among other permissions).
Upon installation, the app requires setting up an account that requires information including name, mobile phone number, and email address. Bookings and payments can be made through the app, supporting “credit cards” and “FPX” – the credit card payment was not available, but FPX bank transfers are online – a design decision that will prompt you to “log in” to your online banking website. Naturally, the username and password info is captured, and since almost every bank requiring SMS OTP authentication, the app’s SMS read permission comes into play – the scammer would now have everything they need to clear out your bank account.
Thankfully, Ang was able to secure his online banking access by very, very quickly changing his password before the scammer was able to authorise a RM4,860 instant transfer. As a technologically savvy user, Ang was able to protect himself from the scammers through luck and quick thinking – but this may not be the case for everyone else. There are several instances in the process that are red flags:
- The too-good-to-be-true offer – most professional cleaning services cost around RM50/hour. The “promo” offers a two-hour service with free sanitisation service for only RM40 (admittedly the one-time “new user” offer does make it plausible).
- Inconsistent brand name – the company is Maid4u but the ad shows “Magic Maid Cleaning”.
- “Nationwide” coverage – the scammers are quite smart to ask for the victim’s location, without disclosing what locations their service supposedly covers.
- App download – the biggest red flag, as noted by Ang as well. An APK file is not vetted by Google, and many Android smartphone manufacturers block APK app installs by default because nobody except the app’s developers will know what the app can do. In this case, the app acts as a Trojan horse to gather the victim’s personal information, and read SMS messages for when they require OTP authorisation.
You can read Ang’s full experience in the source link.
(Source: Smith Ang (Facebook))