- Why I’ve switched from Android to iOS: A story of possible malware and why you can never be too careful
- An unwilling switch from Android to iOS
- Malware: never say never
- What actually happened
- Where frustration sets in
- What now?
- We’re looking to the banks to do better
- It’s not you, it’s me… or is it?
Why I’ve switched from Android to iOS: A story of possible malware and why you can never be too careful
Editor’s note: This is a personal anecdote shared by a long-time HWZ writer and is not representative of the security postures afforded on any operating system. The writer has been a phone reviewer since the 2000s and has freelanced with HWZ since.
An unwilling switch from Android to iOS
I’ve been writing for HardwareZone for a while. I continued freelancing whenever I could, after moving on from my role to another career path back in the noughties. Those who know me and are reading this will say that I’ve been among the most ardent defenders of Android since I first laid hands on the HTC G1 Dream in 2008.
While that early HWZ team was evenly divided between iOS and Android loyalists, I endured a lot of good-natured ribbing as one of Android’s loudest supporters. I would jump in to defend Google’s mobile OS at the slightest hint of debate.
It helped that my colleagues were largely Android users in the roles I moved on to. Some even converted after a bout of “passionate” evangelism on my part.
Unfortunately, I can no longer express that enthusiasm for Android’s open-source ecosystem, as it was also my downfall. It led to a month of panic, frustration, and many missed deadlines.
(Editor’s note: Non-apology apology accepted.)
What prompted the change of heart? It’s probably malware and has been in the news lately.
Malware: never say never
When I made my first public appearance with an iPhone 15 Pro Max earlier this month, there were exclamations of surprise and satisfaction from friends and family alike:
“You aren’t the real Count! What have they done to him!”
“Finally, you’ve come to your senses! Better late than never…”
Whether I had “come to my senses” is up for debate, but I knew for certain: I no longer felt safe using Android phones after losing hundreds of dollars in online transactions I did not know of, or approve of.
As you’ve probably heard by now, there has been an exponentially growing number of scammers exploiting Android’s openness to third-party apps and accessibility permissions, which, at the highest levels, even allow a phone to be controlled remotely to perform fraudulent acts of all kinds.
In Singapore’s 2023, this really took off in a big way, with affected Android users losing over $334.5 million in the first half of this year alone.
For my part, I once believed that such misfortune befalls only those gullible enough to allow scammers to trick them into installing third-party apps, who count on human greed or a lowered guard to make these missteps and open doors for malicious inroads.
Having reviewed phones for decades also meant that I should have known what I was up against, but losing money without my knowledge has given me a new lens on how little I understand the complexity of malware — regardless of a person’s technological proficiency or interest.
What actually happened
Here’s my deal.
I have tried a lot of official and third-party apps, such as ReVanced (which are not from the Play Store). I’ve always tried to ensure that whatever app on my phone has good reviews, or is highly spoken of by relevant communities.
In short, I believed I would never be affected, because I paid full attention to what I tapped into. It’s a belief shared by many Android power users who regularly try out new apps before they go live in an app store or install beta copies of mobile games. Also, being malware-free for decades also adds to the certainty of Android and app mastery.
That belief held up until a month before my iPhone purchase.
It was one random night when I woke up and sensed something amiss. I reached for my phone, and there sat the dreaded notification:
We noticed suspicious transactions on your account. For your safety, your card has been blocked. Contact (the bank’s name) immediately.
A quick check on two of my credit cards from different banks revealed dozens of fraudulent transactions that had occurred, to the tune of about $700.
Here’s where it gets complicated: these transactions were done on two cards with different banks without my knowledge, or approval. No other sensitive information has been compromised thus far (it’s been months since this incident).
After long sessions on two separate customer support lines in which I went through all the fraudulent transactions with the respective support executives, I was told that my cards would have to be replaced.
As per common practice, the transactions were not immediately “cancelled” – rather, my credit limit would be restored while both banks filed disputes for the charges on my behalf. This investigative process would be protracted, taking up to 90 days, and I was advised that I could still be held liable for both sums should these disputes (with the merchants that the fraudulent transactions were made with) fail.
I was genuinely shocked for several reasons.
First things first. If there is one piece of personal data I am extremely careful with, it’s my credit card information. To the best of my knowledge, I have never paid where I have to physically hand over a card with the card details (numbers and CVV) printed on it (paranoid, I know). As for these two cards, I’ve also stopped saving credit card information on websites.
I use escrow or wallet services like PayPal or Google Pay (and now Apple Pay) that hide card information from the merchant.
My other computing device is a MacBook Air M1, and I don’t make any transactions or payments on it — all online payments happen through my previous Android phone.
Secondly, if you look at the biggest stories about scammers emptying bank accounts, they share many similarities, of which I had none.
The local stories about losing entire life savings to scams typically start with scammers baiting people with false deals (heavily discounted eggs, durian tour tickets, odd jobs with mind-boggling payouts, what have you) through unchecked online advertisements or group chats. The scammers also require you to key in extremely sensitive information into their fake portals. The scammers will then wipe out entire bank accounts in seconds.
My experience was nothing like these victims. I only shop for known goods and amenities from brand-name places through their official channels (some of which I’ve bookmarked), I don’t get baited by too-good-to-be-true discounts, and most importantly, I did not key my information into any suspicious web pages. The malicious actors didn’t manage to wipe out all my savings either, but it’s still extremely disconcerting to know there is a gap in my system despite my best efforts.
What’s more upsetting is the one similarity I see in my misfortune versus the other victims: in these cases, the banks did not sufficiently inform the owners of these monies’ outflow before it was absconded. While I did receive my notifications, it was only after the money had departed — not during or before.
Finally, I assumed it was my Android phone’s security being compromised because these transactions were made over two cards that were not related to each other. I first wondered whether a rogue Android app had set up malware or a backdoor to leak keystrokes or screen recordings as I entered card data. Through further thought, self-investigation, and discussions, I realised that is only one of the many possibilities, even if I were not scammed.
For example, it could be a naughty app, but it can also be a rogue payment terminal (possibly a physical one overseas) that leaked my card information digitally. Card skimmers, while uncommon in Singapore, are still around elsewhere.
Could it be time to re-examine the way we pay via physical cards? It’s still far too easy for a card to be skimmed, for a rogue cashier to memorise card details, and for transactions below a certain amount to go through without any approvals. During my calls, I asked one of the banks, but it was unable to provide more information to help me narrow down the cause.
I would probably never know for sure. How exactly did they get hold of my payment information? Where were the transactions taking place? Why couldn’t the banks cooperate, even when I am willing to expend my own resources to get to the bottom of this matter?
Where frustration sets in
As a technology writer, this seemed like a stain beyond description, given the expectations to be competent with these things (barring the Dunning-Kruger effect).
This, coupled with Android’s ongoing concerns regarding its openness, and my insecurity over my personal actions — along with a disappointing digital ecosystem that was supposed to help me store my money safely — provided a very urgent push to the iPhone camp.
The main things that kept me on Android previously were the deplorable state of finance within my bank accounts (ironic, since I had now lost $700), my desire for a phone with a 120Hz refresh rate display, and a telephoto camera with 5x or greater optical zoom to match.
These requirements were fulfilled via the iPhone 15 Pro Max, which was the next non-Android alternative on my list. I had wanted to switch phones during Chinese New Year 2024, but life/a scammer/Android/my banks had other plans for me, so I purchased my new iPhone in the Natural Titanium colourway in November 2023.
It’s over a month with the iPhone, and one thing I appreciate most about it was that any minor transaction or unlock would trigger the phone to ask for Face ID.
Keyloggers aside, demanding verification or authentication will go a long way in blocking certain transactions. But it still does not make me any more assured, nor does it bring me closer to identifying the gap that got exploited.
While I do appreciate the latest anti-scam features by local banks that let you lock down your bank balance, I also find it a little moot. In my case, it’s not a scam, and the money was meant to be spent at my discretion (hence why I have separate cards for these accounts). It feels like there’s no real solution.
What now?
If there’s one thing, to sum up my feelings about this whole episode, it’s this:
We aren’t short of ways to pay in the digital world. But in our rush to enjoy these conveniences, we’ve overlooked the need for security at the most fundamental levels. That, and with how advanced social engineering scams and malware are getting, we have a long way to go in user education.
This is not to hate on Android. I love the operating system even now. But, it’s taken a whole slew of scams and malware in the past few months to raise awareness of how well-minded features, like the openness of operating systems, can too easily be exploited for malicious acts of great severity.
Google and Samsung have taken steps to protect users, but as long as Google makes the choice to allow Android sideloading, I’d argue that it has a strong responsibility to ensure that users are fully protected.
As someone who is already aware of such cyberattacks, it stings harder when a reasonably informed user falls flat at identifying the vulnerability, let alone stopping the attack.
The episode has also made me realise that many around me (my friends, parents, and other loved ones) are already neck-deep in this world with zero technical knowledge. I went into this with both eyes opened, and it still did nothing to prevent S$700 from growing a pair of legs and walking right out of my bank account.
Android is not the problem. But through inaction, it risks becoming a supporting actor in a greater tragedy.
That said, iOS does give me that higher sense of security, even if not by much. Security exploits found on iOS tend to be fixed in a matter of days, while Android users need to pray that their device manufacturer issues an update, which could never be done.
It’s also worth remembering that Apple, other than issuing a white paper arguing against EU requests to enable sideloading, has never attempted to profit from the security woes of its competitor’s mobile OS.
That may speak less about operating systems, but more about the sheer diversity of security threats. It doesn’t even include non-tech vulnerabilities, such as love, job, or durian scams. And while it’s true that some have suffered much greater loss than $700, many others also continue to use their Android devices daily without incident.
We’re looking to the banks to do better
In my conversations with banks and card providers during this ordeal, I felt they could have also assisted better. In the wake of the first scams, consumers complained that many of their efforts, such as setting up dedicated fraud hotlines, were reactive.
In this case, when a user spots a fraudulent, unauthorised transaction (not a scam, where the user is tricked into performing the transaction), we have no certainty in recovering our money. The current standard implies that this is a dispute, and is not viewed as a chargeback or cancellation of an unauthorised transaction. Let that sink in.
Yes, the money cannot come back easily, but the banks exacerbate the frustration and uncertainty with the delays and little promises made. It felt as if I was asking a random person at a bus stop if he knew what happened to my money, and all he could manage was a few funny looks.
As it stands, the merchant has the upper hand even if they aren’t legitimate transactions. Instead of protecting me against rogue merchants, the current arrangement left me out of the picture, with the banks and merchants agreeing on what constitutes a legitimate transaction. It’s only called into question after the money is gone.
It’s not you, it’s me… or is it?
But I would be remiss not to speak of my undoing. While I couldn’t fully identify if it was malware, this has proven to be a lesson in the importance and personal responsibility of securing my finances. While I had been profiting from free third-party apps, I was now much more keenly aware of the risks involved.
Do I miss ad-free video content, or social media apps that allow me to browse stories with greater “privacy”? Admittedly, yes.
Then again, as a parent, I teach my child that nothing comes for free. If he plays with his toys without completing his homework, the consequences will come, either through unnecessary stress down the road, burning the midnight oil for nothing, or having poorer exam results to show for it. In this case, I should practice what I preach.
If we find illegitimate ways to enjoy paid services for free, we’d have to accept the risks it comes with: you end up paying for them in other, more sinister ways like bundled trojans, spyware and malware. Even free-to-use apps, whether third-party or official, have its price.
If we are to have digital conveniences, it is our job to learn how to work them in safer ways. But manufacturers, service providers, and financial institutions certainly have to do their part as well to insulate us from things beyond our control.
منبع: https://www.hardwarezone.com.sg/feature-android-ios-phone-malware-scam-transactions-warning-cautionary-tale