SINGAPORE – At least two Android users lost $99,800 of their Central Provident Fund (CPF) savings in June to scams involving malware.

The police said on Saturday that the victims came across advertisements marketing groceries like seafood on social media platforms, including Facebook.

The victims contacted the businesses through their social media platforms or WhatsApp.

They were sent a URL to download an Android Package Kit (APK) file, an application created for Android’s operating system, to order groceries and make payment. 

APKs are installation files for Android apps that can be downloaded from the Internet and third-party app stores, instead of the Google Play Store.

Apps or APK files from the Internet or a third party could contain phishing malware.

The victims were unaware that the application contained malware that would allow scammers to access the victims’ devices remotely and steal passwords. These included Singpass passcodes, among other details stored in the victims’ devices.

“The scammer might also call the victims to ask for their Singpass passcode, purportedly to create an account on the application,” said the police.

Victims were directed to fake bank sites to key in their login credentials to make payment within the app.

The malware would capture the credentials entered.

The scammers were then able to access the victims’ CPF accounts remotely using the stolen Singpass passcode and make a request to withdraw funds through PayNow.

The police did not state the victims’ ages. CPF members can withdraw some of their savings when they turn 55 and receive monthly payouts under the CPF Life scheme when they reach the eligible age, which is currently 65.

Once the CPF funds were deposited into the victims’ bank accounts, the scammer accessed the victims’ bank applications and transferred the money out via PayNow.

The victims realised they had been scammed when they discovered unauthorised transactions on their bank accounts.