Man taught syndicate members to deploy Android malware that stole millions from victims

A Malaysian man who recorded tutorial videos teaching criminals to use Android malware has been sentenced in Singapore, marking the country’s first prosecution for instructing others in malware operations. The case exposes a transnational scam syndicate that infiltrated victims’ phones and siphoned off millions through unauthorized mobile banking transactions.

A Friendship That Led Into Crime
The case centers on 49-year-old Malaysian citizen Cheoh Hai Beng, who befriended Taiwanese national Lee Rong Teng while serving a prison sentence in South Korea in 2008. Years later, Cheoh reconnected with Lee in the Dominican Republic, where Lee recruited him to help operate a criminal syndicate using advanced malware to infiltrate Android devices.

In January 2023, Lee introduced Cheoh to Spymax, a sophisticated remote access Trojan designed to secretly control Android phones. Disguised as legitimate apps such as online shopping tools, the malware could access cameras, GPS, contact lists, SMS history, cryptocurrency apps, and banking credentials without the user’s knowledge.

Recording Malware Training Videos
Between February and May 2023, Cheoh recorded at least 20 instructional videos showing syndicate members how to install and operate Spymax. The videos demonstrated methods to:

– Capture crypto wallet passwords

– Remotely access banking and crypto apps

– Track phone locations through GPS

– Extract contacts, messages, and login data

Although initially reluctant, Cheoh complied after Lee promised payments and threatened to release compromising recordings of him. Cheoh earned US$700 in February 2023 and US$1,000 each in March and April for creating these materials.

Scam Operations Targeting Singapore
After Cheoh left the syndicate in April 2023, the group continued deploying the malware from operations based in Malaysia. Fake landing pages were designed to lure victims into downloading malicious apps.

From June 2023 to June 2024, at least 129 victims in Singapore had their Android phones compromised. Their devices were remotely taken over, allowing unauthorized mobile banking transactions totaling S$3,197,974.24 (approx. US$2.5 million).

Arrest and Prosecution
Cheoh was arrested in Penang on June 12, 2024 by Malaysian police working with Singapore’s Technology Crime Investigation Bureau. He was later extradited to Singapore, where he pleaded guilty to:

– Being a member of a criminal syndicate

– Conspiring to use malware to obtain unauthorized access

A third charge was considered during sentencing.

On December 9, a Singapore court sentenced him to five and a half years in jail and a S$3,608 fine, representing the profit he earned from producing the videos.

Legal Arguments and Significance
Prosecutors emphasized the unprecedented nature of the case, calling it the first time someone in Singapore has been charged for teaching others to use malware. They argued that the harm was extensive due to the syndicate’s global reach and Android’s widespread use.

The defense maintained that Cheoh played a minor role and had limited involvement in the scams executed after May 2023. However, the court noted that his tutorials expanded the syndicate’s operational capability.

This case underscores the rapidly evolving landscape of digital crime affecting both Singaporeans and regional communities. It highlights how malware training, cross-border syndicates, and remote access tools can amplify financial harm at scale. As cybercriminals become more sophisticated, regional cooperation and vigilant enforcement will remain critical to safeguarding digital banking and consumer trust.

Sources: Channel News Asia (2025)

Keywords: Android Malware, Spymax Trojan, Singapore Scam Losses, Criminal Syndicate, Remote Access Scams