A new report has detailed a litany of vulnerabilities within Android devices that are enabling financial scammers to circumvent traditional bank and app store controls.
The Digital Banking Fraud Trends in APAC report, authored by cybersecurity vendor and behavioural biometrics developer BioCatch, outlined several methods being used by today’s scammers to side-step Google Play Store defences.
BioCatch data revealed that mobile apps are the preferred medium for cyber scammers, accounting for 70 per cent of digital fraud cases – a 17 per cent increase on the previous year.
“Malware developers continue to innovate, circumventing bank and Google Play Store defences to harvest what they need from mobile devices to access digital banking accounts and then transfer away the victim’s funds to a money mule,” BioCatch wrote.
Malicious developers have, for instance, taken to acquiring existing and legitimate applications and embedding within them backdoors through which they can can drop in their software or code.
“This enables keyloggers, screen-sharing, SMS-reading, and other permissions that grant scammers access to all the pertinent personal information they need to access the victim’s digital banking accounts and then transfer away the victim’s funds to a money mule account,” wrote Edgar Zayas, BioCatch director, global advisory.
While Singapore banks have taken to blocking devices identified with a ‘side-loaded’ app installed on them, Zayas said, fast-moving malware developers are getting around this block by simply dropping in code to their programs to make it appear as though it were downloaded from Google Play.
Scammers are also creating ‘pinjol’ apps that are available on the Google Play store – illegal online lending apps that lure their victims with promises of a quick and painless online loan.
“These apps contain malware-like features that allow a scammer to access personal data, contacts, messages, and even photos, which the scammer can then use to blackmail the borrower into paying exorbitant interest rates.
“Some believe the initial funds lent to the victim are also taken fraudulently and then laundered through these predatory lending companies, which are in turn run by criminal syndicates that specialise in financial crime.”
The report also identified the increased outsourcing of money laundering operations by APAC-based criminal organisations (who clean money stolen via scam activity) to specialist international syndicates.
Laundering syndicates often leverage the latest technology to train their paid mules, employing specialised mobile apps to train, incentivise, and communicate with these individuals.
These apps offer money-laundering training sessions and even provide users with a leaderboard of the most active mule accounts to encourage mules to transfer more stolen money faster.
These mule accounts serve as intermediate stops between the victim’s bank account and the final account from which they plan to withdraw their stolen money.
“This both reduces overhead costs for the criminal organisation receiving the funds and adds a level of professionalism and efficiency to the scamming and laundering process,” BioCatch wrote.
The vendor noted that while these laundering networks are typically based in China, scammed funds were seen to be flowing through accounts across a number of Southeast Asian countries, which are then converted into cryptocurrencies like Tether (USDT) at stops along the way to further obscure their origin.
BioCatch said its systems identified and helped APAC banks shut down more than 150,000 money mule accounts in 2023. However, the vendor conceded that this number almost certainly represents just a tiny fraction of those actively laundering money in the region.
Financial institutions globally, it stressed, must do more to “identify these mules, hamper their ability to open new accounts, and identify those legitimate accounts money launderers succeed in turning from good to bad”.
The report also detailed the changing tactics of cyber fraudsters as financial services beef up security on their apps and online services. While BioCatch recorded a significant decline in remote access fraud (down by 86 per cent between 2021 and 2023), this was more than offset by a surge in successful social engineering scams.
For instance, as fraudsters “master the art of social engineering”, BioCatch noted a 33 per cent decrease in the average time to complete a successful impersonation scam – down from almost 12 minutes in 2022 to eight minutes last year.
Voice scams appear to be the go-to method for social engineering scammers, with BioCatch reporting a 108 per cent increase in this method across APAC between 2022 and 2023.
BioCatch also identified a change in behaviour before scams occur, with scammers appearing better at identifying vulnerable accounts.
“There has been a 230 per cent increase in the volume of cases which see at least one failed attempt to log into the victim’s account prior to the reported scam session.
“This suggests fraudsters are getting better at ‘doing their homework’ on the targeted accounts, potentially to collect additional information that helps their scam appear more legitimate.”
