Scam victim loses more than £6,000 after buying an £8 camera on eBay

eBay item linked to banking malware that hacked the Barclays app

A cheap camera bought off eBay opened the door to criminals who quietly stole £6,451 from a victim’s mobile banking app. He was initially denied reimbursement by his bank and the Financial Ombudsman Service (FOS), but has finally got his money back following a 17-month battle.

The victim, who wishes to remain anonymous because he is still being targeted by scammers, refused to give up when Barclays deemed him responsible for a series of transfers that left his account in early 2022.

He spent months completing his own fraud investigation, before sharing his story with Which? when no one seemed willing to listen. 

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

Malware linked to eBay purchase

The scam started in 2021 when the victim bought a USB Endoscope Borescope camera – useful for looking down pipes and for car maintenance – on eBay for £7.59. 

He followed the instructions provided to download an app called ‘QR Code Reader’ from the Google Play Store. Although he didn't know it at the time, the download had infected his phone with banking malware. A month later, the app – which had more than 100,000 downloads – was identified as malicious by security researchers at Bitdefender and was removed by Google. 

The Bitdefender report explains that the app was ‘likely a heavily encrypted TeaBot dropper’ that specifically targeted Great Britain and worked in the background to hijack bank accounts.

When banks don’t believe fraud victims

The fraud only came to light when Barclays blocked the victim’s account due to unusual activity. 

Eight unauthorised transactions had taken place over eight days, ranging from £10 to £1,985, all taken while the victim was asleep. All of the payments were to the cryptocurrency exchange Coinbase, even though he had never used this app or any other exchange. 

An initial virus scan didn’t find anything suspicious, but a Norton antivirus tool subsequently detected malware. The victim also found that two remote access tools had been installed on his phone without his knowledge. Which? has repeatedly warned that these tools are widely abused by criminals

To his surprise and horror, Barclays said that because the payments were made from his registered device, verified by the correct passcode, it couldn’t see how his device was compromised and refused to refund the money. 

He begged Barclays to analyse his phone and consider the unusual pattern of behaviour but this fell on deaf ears. He made a complaint to the FOS before approaching Which? for support. 

Which? investigates the dodgy eBay item

We bought the same item from the same eBay seller and followed the instructions to install it. 

We were prompted to download a different app, called ‘USB_Camera app’, which we asked independent cyber security experts to review. 

They said that, although it initially ran as expected, they did find a suspicious library which has been linked to an Android malware ‘packer’ (used to compress files and hide malicious code) and said there is a very high probability the app is malicious. 

Despite this new evidence, Barclays initially refused to reconsider its decision, declining to comment on the case until it had been reviewed by the FOS. 

We asked if it had contacted either Norton (to confirm the malware report) or Coinbase (to confirm if the receiving account was suspected of criminal or suspicious activity) but didn't receive a response.

eBay's response

We reported the seller to eBay. It removed the listing to minimise the risk to users, but confirmed it had received no other scam reports relating to the item.

A spokesperson said: ‘eBay is a third-party seller marketplace.  We do not sell any products directly but mainly connect buyers and sellers. We generally do not control the sellers’ items at any point in time. We take reports of fraud and scams very seriously. 

'In the rare instance that we receive one, our dedicated law enforcement liaison teams work closely with police, and other stakeholders like Action Fraud, to investigate and provide evidence as requested.'

We also informed Google about this potentially dangerous app but it was found to not have violated any policies. 

Can the FOS cope with complicated fraud cases?

The FOS rejected the victim's complaint. When we reviewed the final decision, we were surprised to find that it made no mention of the possibility of malware. 

The victim says he repeatedly told the investigator that he was a victim of a remote attack but this information was either missed or ignored.

Which? has recently raised concerns that some FOS investigations may have suffered due to a lack of specialist knowledge, particularly in complicated fraud cases.

A spokesperson for the FOS said: ‘Being the victim of a fraud or a scam can be a horrendous experience – both financially and emotionally. Unfortunately, we continue to see hundreds of complaints a week from victims of fraud and scams.

'If anybody feels they have been treated unfairly by their bank they can complain to our service, we will then consider whether the firm has acted reasonably or whether they need to reimburse the consumer. We are a free, independent service, and each case is investigated on its own merits.’

'We carefully investigate the specific circumstances of every case, reaching a fair and reasonable decision based on the evidence made available to us at the time. We take account of the relevant law and regulations, regulators’ rules, guidance and standards, codes of practice and, where appropriate, what the ombudsman considers to have been good industry practice at the relevant time.'

Refusing to give up

The victim was prepared to take Barclays to court, but thankfully the issue was eventually resolved last week.

Which? urged Barclays to review its initial stance, reiterating our findings related to the same eBay item, and it finally agreed to refund the money.

The bank's initial investigation was based on the victim’s testimony that he had not downloaded any new apps and had antivirus software installed on his phone.

This was true – the malicious app had been installed over three months before and his device had a free antivirus tool – but the attack came later and basic tools can fail to detect sophisticated malware. We feel that Barclays asked the wrong questions and failed to investigate this particular fraud case thoroughly.

A Barclays spokesperson said: ‘Based on information our customer had initially provided, our thorough, forensic investigation did not identify a point of compromise, with the FOS agreeing with our decision. However, after the provision of new information, the funds lost to this scam have now been returned to our customer. 

'We urge customers to provide as much information as possible when they report a fraud, and to remember that a legitimate organisation will never ask them to download software, transfer money, make payments, or share their security information.’

  • Which? asked Coinbase what identity checks were requested when the account in question was opened but it declined to comment ‘due to customer confidentiality’ though it said ‘Coinbase takes extensive security measures to ensure our customer accounts remain safe’. 
  • We also contacted the developer of the ‘USB_Camera app’, listed as ‘Shenzhen wxl technology limit’ on the Google Play Store, but it did not respond to our questions.

Seen or been affected by a scam? Help us protect others