50 smartphone users in Singapore hit by malware targeting mobile banking customers.

The malware disguised itself as an operating system update or an update for messaging app WhatsApp to trick customers into entering their credit card information, says the Association of Banks in Singapore.

---

SINGAPORE: About 50 smartphone users here have been hit by malware targeting mobile banking customers in the last three months, the Association of Banks in Singapore (ABS) said on Tuesday (Dec 1).

The average amounts lost by the victims, who are customers of major retail banks here, were around “a couple of hundred dollars”. Some victims could have lost several thousand dollars through multiple transactions, ABS said.

The transactions appear to have originated from Eastern Europe, and include purchases of budget airline tickets. The malware attacks were able to masquerade as the customers themselves by intercepting one-time passwords (OTP) sent to the phone by SMS to make online purchases, ABS said.

One such malware disguised itself as an operating system update for the battery management module or an update for messaging app WhatsApp. In the latter, a pop-up window encouraged consumers to tap it and download a new version of Whatsapp or risk losing access to the service.

After downloading the “update”, users were prompted to enter their credit card information. Once that was entered, the malware intercepted the OTP sent to the phone by SMS.

"Jailbroken iPhones or rooted Android (phones) are vulnerable … and in particular Android, because that phone system involves easier download of third-party apps," said ABS Director Ong-Ang Ai Boon.

Banks may refund victims of such fraudulent transactions on a case-by-case basis, largely depending on whether customers had taken adequate steps to protect themselves from such attacks, ABS said.

Major banks here have noted an increasing trend of malware on mobile devices targeting financial transactions, the association added.