VPN scam in UAE: Residents lose money from mobile balance, app purchases

UAE resident Noor Ahmed has been losing over Dh3 daily from his post-paid mobile account for many weeks. He was unaware of it until he got a message from his telecom service provider that he had reached the credit limit.

“I was surprised to see the message from a local telecom service provider because I had not utilised much of my available balance. I use a pre-paid mobile balance only to pay for parking through SMS. When I checked with the telecom service provider’s customer services executives at one of the hypermarkets, I found out that I was being charged by the VPN that I had installed. Therefore, I immediately uninstalled it,” he said.

Once the Virtual Private Network (VPN) app was uninstalled, Ahmed, who lost over Dh200 in one month alone, stopped losing his balance. Ahmed was among many who had a similar experience.

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

Another long-time resident, Masoom Fatima, who had also installed a VPN app for audio-video communications with her friends and family, lost all her mobile balance within a couple of days after she recharged.

“Whenever I recharged my mobile account, the funds just vanished within a day or two. It happened to me multiple times. When a friend of mine told me to remove the VPN app, I stopped losing the credit,” said Fatima.

In the UAE, residents are permitted to use VPN but its misuse could land in trouble legally, resulting in imprisonment and a fine of up to Dh2 million.

What do experts say?

“Yes, if someone has installed a malicious VPN app on their mobile, the scammer can potentially access their phone and make unauthorised purchases, leading to deductions from the person's post-paid or pre-paid mobile balance. A malicious VPN app can gain control over the device, allowing scammers to make purchases from app stores like the Apple App Store or Google Play Store without the user's consent,” said Ezzeldin Hussein, regional senior director for solution engineering in META at SentinelOne.

He said VPN can intercept communications between the device and the internet, capturing sensitive information such as account credentials for app stores, which scammers can use to make unauthorised purchases.

“If the VPN app requests and is granted extensive permissions, it can access the user's mobile balance information and initiate transactions using the mobile network's payment system. Additionally, some VPN apps may covertly initiate in-app purchases, which can go unnoticed for a while but add up over time,” added Hussein.

Karthik Anandarao, chief technical evangelist, ManageEngine, said mobile phones are prone to cyberattacks much more than any other personal devices.

“Users usually are not aware whether the VPN is connected or disconnected. As the hackers gain entry into a user's mobile phone, they can access any app. The telecom provider’s app is no exception to this. Scammers can deduct money from the users’ pre-paid or post-paid mobile balance with ease. All the scammer needs is a point of entry into the user's mobile phone. It does not matter whether a VPN is active or disconnected,” said Anandarao.

Users exposed to hackers even after using a VPN

Karthik Anandarao said using a VPN doesn't mean that people are invisible from hackers.

“You can still be tracked down using the VPN address. When connected through the VPN, it is only certain attributes like the location and IP address that keep frequently changing. The rest of the information is still vulnerable and is accessible by hackers. Information such as the bank credit card, CVV, expiry date, account information etc. are either stored in cookies or vaults. These cookies and/or vaults are prone to attacks or data theft whether you are inside or outside the VPN,” added Anandarao.

• Dubai: 494 arrested for phone fraud cases, targeting banking customers

• UAE
• Newsletters
• UAE