Latest Phishing Scam Hides Within An App And Is Disturbingly Sophisticated
Author Avatar

A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated phishing scam. Describing the series of events on his Facebook page, Smith Ang detailed how a Facebook ad for professional cleaning services led to him accidentally sharing his online banking account info and almost losing close to RM5,000.

The operation is surprisingly elaborate, involving creating a Facebook page offering professional cleaning services, and paying for ads on Facebook to lure unsuspecting victims. After all, professional cleaning services are quite common these days, with booking and payment usually done online.

To add legitimacy, the scammers try to mimic an existing professional cleaning service called Maid4u – but the Facebook ad is run by a page called “Magic Maid Cleaning”. Maid4u’s website lists some corporate clients, complimentary sanitisation services, support for credit card payments, but its services are only available in Cyberjaya. Crucially, it also does not have an app (though according to the website, it will be available soon) and its WhatsApp chat button leads to a different phone number to the scammers.

The Facebook ad includes a WhatsApp chat button, where the scammer will share a 50% discount promo for new users who book via their app. However, the link to the app download isn’t to the Google Play Store or Apple App Store, but instead is an APK file – an Android app installer package – that isn’t vetted by Google (since it isn’t submitted to be available in the Google Play Store). Conveniently, this app requires permission to read SMS messages (sometimes necessary for legitimate apps, among other permissions).

Upon installation, the app requires setting up an account that requires information including name, mobile phone number, and email address. Bookings and payments can be made through the app, supporting “credit cards” and “FPX” – the credit card payment was not available, but FPX bank transfers are online – a design decision that will prompt you to “log in” to your online banking website. Naturally, the username and password info is captured, and since almost every bank requiring SMS OTP authentication, the app’s SMS read permission comes into play – the scammer would now have everything they need to clear out your bank account.

Thankfully, Ang was able to secure his online banking access by very, very quickly changing his password before the scammer was able to authorise a RM4,860 instant transfer. As a technologically savvy user, Ang was able to protect himself from the scammers through luck and quick thinking – but this may not be the case for everyone else. There are several instances in the process that are red flags:

  1. The too-good-to-be-true offer – most professional cleaning services cost around RM50/hour. The “promo” offers a two-hour service with free sanitisation service for only RM40 (admittedly the one-time “new user” offer does make it plausible).
  2. Inconsistent brand name – the company is Maid4u but the ad shows “Magic Maid Cleaning”.
  3. “Nationwide” coverage – the scammers are quite smart to ask for the victim’s location, without disclosing what locations their service supposedly covers.
  4. App download – the biggest red flag, as noted by Ang as well. An APK file is not vetted by Google, and many Android smartphone manufacturers block APK app installs by default because nobody except the app’s developers will know what the app can do. In this case, the app acts as a Trojan horse to gather the victim’s personal information, and read SMS messages for when they require OTP authorisation.

That said, the app was designed very well, and from the screenshot shared by Ang, mimics Maybank2u’s old website layout (which is used in FPX) almost perfectly. So again, unsuspecting victims hoping to grab a good deal may end up falling prey to this elaborate phishing scam.

You can read Ang’s full experience in the source link.

(Source: Smith Ang (Facebook))

4.7 11 votes
Article Rating


Comments (5)

Notify of

Inline Feedbacks
View all comments
1 year ago

This is an old scammer on the lose. Don’t fall for it.

Raven Raj is what he introduced over email with his bank details as Public Bank 3130446115

Same email and domain

1 year ago
Reply to  Faisal

Yes, this happen to us a few days back.
The name of the agent is the very same Raven Raj with the very same account number.
Feel so cheated.

Hi! a
11 months ago

Thank you for the elaboration, a good write-up

5 months ago

I just lose 21k with 1 click by the link given, today within 5 min, just view the link given to check the price, then I got notified msg my money all gone

Mike Myers
3 months ago

Companion Maids is probably the same company as doing the exact same… another scam

Top Online Banking Articles
Post Image
Best High Interest Savings Accounts In Malaysia (January 2023)
Pang Tun Yau
- 11th January 2023
Make your money work for you by depositing them into the best high-interest savings accounts in Malaysia!
Post Image
Maybank Increases ATM Daily Withdrawal Limit From RM5,000 to RM10,000
- 19th July 2019
The daily withdrawal limit for Maybank’s ATM and SRM has increased from RM5,000 to RM10,000 beginning 13 July 2019.
Post Image
You Can Now Redeem Your ASNB Units Online Via myASNB
Jacie Tan
- 20th April 2020
Starting today, Amanah Saham Nasional Berhad (ASNB) unit holders can redeem their ASNB units online via the myASNB […]
Post Image
Latest Phishing Scam Hides Within An App And Is Disturbingly Sophisticated
Pang Tun Yau
- 15th November 2021
A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated […]

Related articles

Related Posts Image
Related Posts Image
Related Posts Image
Related Posts Image