> The seller texted Ms Khoo on WhatsApp and instructed her to download a third-party app called Grab&Go on her phone. The app prompted her to make a $5 payment through PayNow as a “deposit” before her order could be placed, but she asked if she could pay when her order arrived.
> The seller reassured her that he did not need her banking details and asked her to enter her name, address and phone number on the app to check out her purchase.
My guess would be the payment information combined with the personal information (and using that personal information to get more personal information online) was just enough to call the bank and impersonate her.
The app eating CPU and battery is definitely a red herring, even with a vulnerability that let it directly get at banking details there's no reason for it to do that. Probably just badly written.
> The seller texted Ms Khoo on WhatsApp and instructed her to download a third-party app called Grab&Go on her phone. The app prompted her to make a $5 payment through PayNow as a “deposit” before her order could be placed, but she asked if she could pay when her order arrived.
> The seller reassured her that he did not need her banking details and asked her to enter her name, address and phone number on the app to check out her purchase.
My guess would be the payment information combined with the personal information (and using that personal information to get more personal information online) was just enough to call the bank and impersonate her.
The app eating CPU and battery is definitely a red herring, even with a vulnerability that let it directly get at banking details there's no reason for it to do that. Probably just badly written.