One evening, a WhatsApp message lands on your phone. It looks urgent like a traffic challan notice, a bank KYC update, or even a cheerful wedding invitation card. The file attached carries the logo of a trusted institution or the design of a digital invite. You tap once, grant a few permissions, and move on. Hours later, you wake up to debit alerts, your savings drained, and learn that your phone is silently controlled by someone miles away.
This is the APK file scam, one of the fastest-growing forms of cybercrime in India.
APK (Android Package Kit) files are the format used to install apps on Android devices. Official and verified apps are usually downloaded from the Google Play Store. But fraudsters trick users into installing fake APK files circulated through WhatsApp, SMS, email, or social media.
These files look legitimate and sourced from trusted institutions like government websites, banks and others, but hide malware. Once installed, they ask for permissions such as access to SMS, calls, contacts, microphone, and even screen-sharing. With these, criminals can intercept OTPs, unlock banking apps, and remotely control the phone.
Common forms of the Scam
Some common forms of scams include:
- Traffic Challan Scam: Fake files named Road Transport Office Challan.apk are sent as supposed traffic fines.
Source: Ahmedabad Cyber Crime Branch, Ahmedabad City Police on Instagram
- Bank Communication Scam: Fraudsters posing as bank staff send APK links asking to update KYC or to redeem unused reward points. Once installed, the file steals banking details.
Fake APK files sent to update bank KYC from unverified source
Source: Moneylife
- Wedding Card Scam: An unknown number portraying as a close relative shares a digital wedding invite that is actually a malicious APK.
Cyber security officials have circulated alerts on rising wedding invitation scams
Source: Tamil Nadu Cyber Crime Wing on Facebook
How to Stay Safe
- Download apps only from official app stores like Google Play Store or Apple App Store.
Source: Cyber Dost on Facebook
- Keep the “Install from unknown sources” option disabled on your Android phone to block apps from unverified sources.
Source: Microsoft Security
- Exercise caution when clicking on APK files received via WhatsApp, SMS, or email.
- Be cautious if an app requests sensitive permissions such as SMS, contacts, or screen sharing.
- Verify urgent messages directly with your bank or service provider.
- In case of fraud, report immediately to the National Cybercrime Helpline – 1930 or file a complaint at cybercrime.gov.in.