M'sian Software Developer Shares How Hackers Can Wire Money Out Of Your Bank Without OTPs
A Malaysian software developer's Facebook post has gone viral for detailing how Android users downloading apps of unknown origin would allow hackers to gain complete access to their bank accounts
The post was uploaded by Ah Hong VS on Tuesday, 7 June, and it has since garnered over 30,000 shares, with hundreds of netizens thanking him for taking his time to share the informative public service announcement (PSA).
Hong said he is a software developer specialising in mobile apps. He told SAYS that he shared what he knew out of goodwill so that people can learn about the growing danger of online scams.
"Usually, many Facebook and Instagram ads will offer special discounts and then the payment requires you to download an app to complete the transaction," he began.
"It is especially easy for Chinese users to (be a victim) because their phones' security has been compromised. If you have played Chinese games such as Wang Z-- R- Y-- and He P--- J--- Ying, you have already enabled the permission to install from unknown sources in the setting."
"This setting is to prevent the installation of malware. But since it is turned on, installing malware apps is a breeze."
Hong was referring to the widely popular multiplayer online battle arena (MOBA) and battle royale games that are published in the China market.
However, it also applies to anyone who downloads apps that are not available in their region or people who download pirated versions of video games and apps.
Hong proceeded to talk about Android Package Kit (APK)
For context, APK is an archive file (one or more files along with metadata compressed into a single file) that allows Android users to install an app.
Normally, when one downloads an app or an update from Google Play, the store automatically installs the APK for them. Most apps on Google Play go through some form of security check before they are readily available to users.
Direct downloading APKs from unofficial sources runs the risk of having malware on users' devices.
Hong continued, "After installing the APK (an app you download from an unofficial source in this case), you need to create an account."
"At this stage, everything still looks very normal, like any ordinary app. When it comes to SMS authentication verification, it will request 'SMS permission' otherwise you won't be able to continue."
"When you authorise the 'SMS permission' to the app, the app can read and delete SMSes you receive."
Hong said that during the shopping process after users click the link from Facebook and Instagram ads, they would have to proceed to pay on the APK
"The payment gateway you go to when you want to make payment is all fake. Credit card, FPX, Maybank, AmBank, etc... The e-banking interfaces are all fake," he shared.
"You can't get past the page regardless of what you enter (credit card credentials or bank login details). (It will say that it is) under maintenance and then 'please try again with another bank/card.'"
"Then, people who haven't realised will continue to use another account, and they will continue to swipe or pay with another account, but they still can't pay."
"Their customer service will come to 'comfort' you: Dear customer, our system is being upgraded, please try again later."
During the process, Hong said users have handed over their usernames and passwords to bad actors
The bad actors would then begin to transfer money out of their savings accounts or spend with their credit cards.
Hong said that not every app can run in the background of users' devices as they have the power-saving mode to kill off background programmes.
"So they (bad actors) will deliberately ensure that their app is still running in the background of your phone by sending you an SMS and making sure their app is still connected to their system," he related.
"If you receive such an SMS, turn off all apps immediately. Check your app list to make sure it contains only apps from official sources."
Hong said when they send SMSes to users, they confirm that they can read their SMSes.
"They will start to act. They will log in to your (bank) accounts to change the password that is bound to your phone."
"Be aware. They are not transferring money yet. They are changing the phone number that is bound to the bank."
"Once the changes are made and they receive the one-time password (OTP) for the action, they do not need OTPs to be sent to your mobile phone to transfer money anymore. Basically, you won't know how much money they have transferred out of your accounts until you check."
When users have been hacked, Hong said they must be wondering how their money could have been transferred out without receiving any OTP notification
"Remember what I said in the beginning? The app already has the SMS permission to read and delete (any SMSes). They read your SMSes and delete them directly, without you even knowing it," he explained.
"They only need to read your SMS once to change the phone number bound to your bank accounts that receive OTPs. After that, they can basically do whatever they want."
Hong contended that this modus operandi is the reason why many people are complaining that they did not receive OTPs.
These are his suggestions to avoid becoming a victim of hackers:
– Install apps from China with caution. This is very important, especially for people who download APKs. Do not turn on 'allow app installation from unknown sources' in the setting.
– If you have to turn on the setting to download (the MOBA video game), remember to turn it off after installation.
– Check the apps on your phone regularly. Delete unused apps immediately.
– Remember the security photo of your online banking accounts. If you don't see the right photo, it is not the real e-banking portal.
– Remember to check which apps have permission to access your SMSes and make sure you only allow this feature to apps you trust.
– Only install apps from Google Play. Do not install apps from elsewhere.
Hong said he will share another post about the same issue for iOS users. You can find his viral post below: