SINGAPORE: A Malaysian man, Cheoh Hai Beng, 49, was sentenced to five-and-a-half years in jail and fined S$3,608 on Tuesday (Dec 9) for teaching a criminal syndicate how to use malware to hack Android mobile phones.
Cheoh pleaded guilty to being a member of a criminal syndicate and conspiring to use software hosted on servers to remotely access victims’ phones in Singapore. A third charge was considered during sentencing.
The case involved a highly sophisticated remote access Trojan, known as Spymax malware, designed to access mobile banking apps, capture passwords, track locations, and remotely control devices. The malware was disguised as legitimate Android applications.
Cheoh met Taiwanese national Lee Rong Teng while serving time in a South Korean prison in 2008. Lee later recruited Cheoh to the Dominican Republic in 2022, where he learned to operate the malware. Cheoh recorded at least 20 tutorial videos between February and May 2023 demonstrating the software’s capabilities.
The videos were distributed to syndicate associates, who then used the malware to target Android users in Singapore. Between June 2023 and June 2024, 129 victims lost about S$3.2 million (US$2.5 million) through unauthorized bank transactions.
Deputy Public Prosecutor Hon Yi said Cheoh’s actions allowed others to commit offenses, citing the saying: “Give a man a fish, and he eats for a day. Teach a man to fish and he eats for life.” He highlighted the transnational nature of the syndicate and the wide potential harm, noting the malware could impact millions of Android users globally.
Cheoh returned to Malaysia in April 2023 but continued recording tutorial videos at Lee’s request. He was arrested at his Penang home on June 12, 2024, by Malaysian police in collaboration with Singapore’s Technology Crime Investigation Bureau.
Defence lawyer Sujesh Anandan argued that Cheoh’s role was limited to filming videos, placing him at the lowest tier of the criminal hierarchy, and stressed that he had no direct involvement in the actual scams that caused the financial losses.
Cheoh faced up to 10 years’ jail and a S$50,000 fine for conspiring to obtain unauthorized computer access, and up to five years’ jail and S$100,000 fine for being a member of a locally linked criminal group.
This case is believed to be the first prosecution in Singapore of someone for teaching others to use malware.
