Android users in Singapore to face restrictions from installing unverified apps

SINGAPORE: To reduce the increasing number of malware scams, some Android users in Singapore will soon face limitations on downloading apps from unverified sources, a process known as sideloading.

This move comes as part of a new trial initiated by Google, in collaboration with the Cyber Security Agency of Singapore (CSA), aiming to enhance the security of Android devices against fraudulent activities.

According to a statement released on 7 February by Google, the gradual rollout of this security feature will commence in Singapore, making it the first country to implement such measures.

The update, set to be deployed over the next few weeks, will be incorporated into Google Play Protect and will automatically detect apps utilizing suspicious permissions, such as the ability to access sensitive information like screen content or SMS messages – permissions often exploited by scammers to intercept one-time passwords.

Eugene Liderman, Director of Android Security Strategy at Google, stated that users who attempt to download suspicious apps will be promptly notified and provided with an explanation.

Importantly, Mr Liderman emphasized that users will not be able to deactivate this feature without disabling Google Play Protect entirely, a measure implemented to safeguard against potential social engineering tactics used by fraudsters.

Mr Liderman highlighted the necessity of this enhanced security feature, particularly in light of the surge in financial fraud cases witnessed over the past year in Singapore.

With Android devices being widely used across the nation, the implementation of such measures is deemed crucial to protect mobile users from falling victim to malicious activities.

Malware scams typically involve luring victims into downloading Android Package Kit (APK) files from sources like websites or messaging apps under the pretext of receiving gifts or deals.

This initiative represents Google’s most robust effort yet to combat the proliferation of malicious sideloaded apps.

Previously, Android users were advised to conduct scans of their apps to determine their safety before installation.

In a similar vein, Samsung, which operates on the Android platform, introduced the Auto Blocker One UI 6 for Samsung Galaxy device users in November.

This tool, accessible through the settings menu, restricts the installation of sideloaded apps from unverified sources.

Singapore tops global scam losses; android malware cases highlighted

According to a joint study conducted by the Global Anti-Scam Alliance (Gasa) and ScamAdviser in 2023, Singapore experienced the highest average losses due to scams.

Globally, scammers managed to accumulate an estimated sum of US$1.02 trillion between August 2022 and August 2023.

In comparison to previous years, Singapore’s average losses surpassed the figures of US$55.3 billion and US$47.8 billion recorded in 2020.

The study revealed that the average victim of scams in Singapore lost US$4,031, which is the highest globally.

This was followed by Switzerland at US$3,767 and Austria at US$3,484, indicating the attractiveness of these affluent nations as targets for scammers.

Just last month, the police revealed that at least five individuals had fallen prey to scams related to the sale of festive food items, particularly Chinese New Year delicacies.

Collectively, these victims incurred estimated losses totaling S$167,000 (US$124,000).

The police disclosed that fraudulent advertisements promoting the sale of food items were predominantly circulated on popular social media platforms, namely Facebook and Instagram.

These deceptive ads, appearing authentic at first glance, enticed victims with appealing offers of festive treats. Upon clicking on the links embedded in these advertisements, potential victims were redirected to messaging platforms like Facebook, Instagram, or WhatsApp.

Here, scammers deployed a cunning tactic, instructing victims to download an APK to facilitate their orders for the food items.

However, this seemingly harmless step served as a gateway for scammers to remotely access victims’ devices, enabling them to pilfer banking credentials and passwords.

Notably, malware scam cases involving Android malware seem to be the most common ones in Singapore, aside from phishing scams, based on reported cases over the years.

Minister for Home Affairs, Mr K Shanmugam, stated during a parliamentary debate last month that from January 2022 to November 2023, the police received about 2,000 reports of victims having downloaded malware onto their Android devices.

“Police have yet to detect cases involving iOS devices,” he added.

His remarks were in response to a question from Dr Tan Wu Meng about the number of reported internet banking scams caused by compromises to smartphones by malware.

Past anti-scam measures unveiled by authorities

In January, authorities introduced several initiatives to address scams.

Among them was the launch of a set of standards for app developers by the Cyber Security Agency of Singapore (CSA) and guidelines for telecommunications companies (telcos) to identify and better protect vulnerable users, led by the Infocomm Media Development Authority (IMDA).

These measures were disclosed by Communications and Information Minister Josephine Teo on 10 January in response to a motion on fostering an inclusive and secure digital society, initiated by Members of Parliament (MPs) from the Government Parliamentary Committee for Communications and Information.

Mrs Teo and Mr Tan Kiat How, Senior Minister of State for Communications and Information, also unveiled two additional initiatives: a framework aimed at helping Singaporeans acquire skills related to essential digital activities in daily life, and a $20 million research program designed to enhance domestic capabilities in addressing emerging forms of online harm.

MAS and IMDA propose framework to combat phishing scams and fraud

Additionally, the Monetary Authority of Singapore (MAS) and the IMDA had previously released a detailed consultation paper outlining a framework to address losses from phishing scams and similar frauds in October 2023.

The framework aims to determine how these losses should be divided among consumers, banks, and telecommunication companies (telcos).

The proposed measures include implementing a 12-hour cooling-off period for new payees, sending real-time transaction alerts, and maintaining round-the-clock channels for reporting suspicious activities.

Banks would be required to fully reimburse consumers for any losses incurred in cases of non-compliance or lapses, enhancing their accountability as custodians of customer funds and building public trust in digital banking services.

Furthermore, the framework assigns specific responsibilities to telcos, mandating them to enhance security measures such as ensuring the authenticity of connections for Sender ID SMS and deploying advanced content filters to intercept and block scam-related communication.

Telcos would bear liability for losses if scams succeed due to shortcomings in these security protocols, despite financial institutions’ due diligence.

However, while the proposed guidelines initially focus on phishing scams connected to Singapore, they exclude cases where victims knowingly authorize payments or share their details directly with scammers.

The reason, as articulated by MAS and IMDA, hinges on the novelty of malware scams and the ongoing deployment of countermeasures, making it untimely to delineate explicit duties for various parties involved.

Proposal for banks to reimburse victims in malware scams shot down in Parliament

Sylvia Lim, chairman of the Workers’ Party, previously raised the issue of compensation in Parliament, proposing that banks fully reimburse scam victims for losses resulting from malware scams beyond their control.

However, her proposal faced resistance from Minister of State for Trade and Industry, Mr Alvin Tan, who argued that an unconditional restitution policy could inadvertently undermine personal accountability.

Ms Lim spoke during an adjournment motion on 18 September, where she highlighted the vulnerabilities inherent in the current digital banking landscape.

“Given the delay in the publication of this framework, many scam victims have been left without recourse under the Loss Sharing Framework by no fault of their own,” she said.

She further advocated for stronger consumer protection protocols, referencing models in jurisdictions like the UK where banks take a more proactive role in scam prevention and victim reimbursement.

In a definitive rebuttal, Mr Tan stated, “Full restitution without due consideration of culpability is neither fair nor desirable. Doing so can erode vigilance and personal responsibility, and lull users into complacency.”

He emphasized the government’s comprehensive strategy against digital fraud, including strengthening system security through multi-factor authentication and launching public education campaigns and anti-scam applications like Scamshield.

Mr Tan also underscored the importance of consumer responsibility in ensuring transaction security, stating, “Even with enhanced security, scammers can still bypass the digital security measures.

“This is why every consumer has to play an important role by practicing good cyber hygiene and being digitally diligent.”