How can I avoid the APK malware scam in Singapore?

Never install apps from outside the Apple App Store or Google Play. If a stranger — even one claiming to be a government officer — asks you to install an app, change device settings, or transfer money, hang up. Verify any government contact independently via the ScamShield Helpline at 1799. If a malicious app may be installed, switch the phone to flight mode and contact your bank, but do not factory-reset before reporting to police or you may destroy evidence.

Will a Singapore government officer ever ask me to install an app or transfer money?

No. Singapore Police Force, ICA, Ministry of Law, and the Anti-Scam Centre will never ask you to install an app from an unofficial app store, share your Singpass credentials, or move money to a 'safe account'. Any such request is a scam — hang up and verify independently.

Singpass Malware Scam Targeting Singapore Seniors

How does the Singpass malware scam targeting seniors work in Singapore? Victims install an Android app (APK) from a Facebook or TikTok ad for "senior activities." The malware silently uninstalls Singpass and ScamShield from the phone, then a caller impersonating a Ministry of Law or Anti-Scam Centre officer pressures the victim to transfer money — with at least S$69,000 lost across 8 cases since April 2026. Protect yourself: never install apps from outside the Apple App Store or Google Play, and confirm any government call independently via the ScamShield Helpline at 1799.

This week the Singapore Police Force issued an advisory about a scam built on a chilling idea: don't trick the victim into bypassing their security tools — delete the security tools off their phone.

📱 At least S$69,000 gone since April

Since April 1, 2026, at least eight Android users — most of them senior citizens — have lost a combined S$69,000 to a single scam playbook. The advisory was published on June 18, 2026.

Victims first saw Facebook or TikTok ads promoting activities for senior citizens and submitted their contact details. Scammers then reached them on WhatsApp and sent an Android app file (APK) "to view the list of activities."

📰 Singapore Police Force, June 18, 2026

How the attack chain works

1. The baitAn ad for senior activities on Facebook or TikTok. The victim submits their phone number.

2. The handoffA "coordinator" messages on WhatsApp and sends an APK file to install outside the Google Play Store.

3. The wipeThe malware quietly uninstalls Singpass and ScamShield — the very apps that would have protected the victim or flagged the fraud.

4. The impersonationA caller posing as an officer from the Ministry of Law or the Anti-Scam Centre claims the device is compromised and pressures the victim to "secure" their money.

5. The drainIn at least one case the victim's bank transfer limit was raised without their knowledge before funds were moved out.

The malware doesn't just steal credentials. It removes the apps that prove identity — so the scammer can step into the gap and pretend to be the government.

Protect yourself — the police advice

The SPF advisory is direct: Singapore officials will never ask you to install an app from an unofficial app store. Beyond that:

Never share personal details with people you can't verify. Only download apps from the Apple App Store or Google Play. Don't make changes to your device because a stranger told you to. If you suspect a malicious app is installed, switch the phone to flight mode and contact your bank — but don't factory-reset before reporting to the police, or you may destroy evidence.

Where verified identity breaks the chain

This scam works because of one thing: the victim could never check who was really on the other end. The "Ministry of Law officer" was a voice on a phone. There was no way to confirm it.

That's the same gap VerifySG closes for businesses. When a company, a law firm, or a lender needs to confirm who they're dealing with, they don't rely on a phone call or a screenshot — they send a Singpass verification link. The other party authenticates with the real, government-issued Singpass, using Face ID or fingerprint. A scammer who deleted someone else's Singpass can't produce a verified identity that isn't theirs.

Malware can wipe an app off a phone. It can't forge a live, government-backed authentication. That's the difference between trusting what someone tells you and confirming what the government can prove.

VerifySG

Government-verified identity in one message. So you always know who's really on the other end.

$0.20

per verification. Billed monthly via Claify + Stripe. No minimum.

Learn More

VerifySG is a service of HomeAuto Solutions Pte Ltd (UEN 202014984H). Identity is confirmed via Singpass login and CorpPass OIDC, Government Technology Agency of Singapore. Customer verification returns only a masked name + mobile — we do not collect or store NRIC, biometric data, or address. If you think you've encountered a scam, call the ScamShield Helpline at 1799 or report at scamshield.gov.sg.