970x125
The story so far:Thousands of Indians with cell phones are losing money after answering a call or clicking on a message. Sometimes it begins with a phone call — calm, polite, and urgent. The voice at the other end warns of a blocked bank account, a missed government subsidy, or a pending electricity bill. Moments later, a message follows with a link to an app that promises a quick fix. The app looks official, bears the logo of a trusted institution, and installs without issue. The user grants a few routine permissions — contacts, SMS, notifications — not realising that, in that instant, their phone had become an open vault.What happens after users install the app?In less than 10 minutes, money begins disappearing from bank accounts. Fixed deposits are prematurely closed, and OTPs intercepted. The app, which now runs in the background, monitors, mirrors and mines everything, right from locations to private messages. The user is unaware until it is too late. And by the time help is sought, the funds have travelled through layers of digital laundering, impossible to retrieve.APK fraud is one of the fastest-growing cybercrime threats in the country today. The National Cyber Crime Reporting Portal has logged 12,47,393 different types of cases in the last six months. Parliament has been informed that there has been a 900% jump in cyber crimes between 2021 and 2025. Data from the Telangana Cyber Security Bureau (TGCSB) revealed that a total of 2,188 such cases were reported between January and July of 2025, leading to losses of ₹779.06 crore. Officials said that 20 to 30 such cases are reported every single day, with daily financial losses between ₹10 and ₹15 lakh. In high-stake scams like investment and business, losses can go up to ₹30 to ₹40 lakh. These scams, driven by malicious Android Package Kit (APK) files, exploit public trust in digital systems while using sophisticated technical tools to stay undetected and operational across State lines.How does the fraud work?APK files on Android devices are much like .exe files on Windows computers; both are used to install apps, and both can be exploited by fraudsters to spread malware. Fraudsters build or source these apps to mimic the appearance and language of official portals, including government subsidy schemes like PM-Kisan, tax refund platforms, electricity boards, or banks asking for KYC updates. These fake apps are often circulated through social media platforms like WhatsApp, accompanied by convincing messages that urge users to act immediately. Developers use encryption techniques that hide malicious code from detection tools. By remaining dormant during installation, these APKs sidestep scans through antivirus software. Once downloaded, the app seeks multiple permissions, including access to contacts, messages, call logs, location, microphone, and notifications. The app gains access to the phone’s program files, harvests data in real-time, and transmits it in encrypted bits to external servers operated by fraudsters. These bits, while unreadable to ordinary users, are decoded to extract valuable information, including banking credentials, OTPs, contacts, and location coordinates, among others. Who operates these apps? The fraudsters who circulate these APKs are rarely the ones who build them. Instead, these apps are part of a well-structured underground economy. Cybercrime officials estimate that 60 to 70% of malicious APKs used in India are developed locally by tech savvy masterminds in Delhi NCR, Meerut, Uttar Pradesh, Jamtara, and parts of Jharkhand. The remaining 30-40% originate internationally, with traces leading to the U.S., U.K., and China. Telegram channels and dark web marketplaces serve as prime distribution channels, offering pre-built APK kits and modules for a fee.Once in circulation, the same APK file is reused with minor modifications in the interface (name, logo and URL or web address of the file), allowing it to bypass detection even after earlier versions are blacklisted. Cybercrime officers say that across hundreds of scam cases each month, only about 10 distinct APK files are found, pointing to the widespread reuse of a few malicious apps.How are users targeted? The choice of victim is anything but random. Much like a recce before a physical crime, cyber fraudsters carry out extensive digital surveillance before striking. “Fraudsters purchase leaked databases, sourced from customer directories of malls, hospitals, or service portals, readily available on the dark web, Telegram, or even local search engines like Just Dial,” said an official from the TGCSB. “These datasets include names, phone numbers, email IDs, addresses, and at times even income or professional details, which help criminals customise their approach,” the official explained. High-earning professionals, including doctors, bank staff, teachers, and real estate agents, are often in the crosshairs. Using partial information already known about the target, fraudsters craft convincing, urgent messages designed to manipulate trust and prompt action. How are investigators tackling the problem?When a fraudulent app is seized, cyber forensics teams decrypt it to trace server origins or identify developer signatures. But the results are mixed. Only 2-3 out of every 10 APKs are decrypted successfully. Most reveal only the server addresses, or general code structures. Rarely do the files contain identifiable developer signatures. Even when financial trails are followed, they usually end in mule accounts, temporary bank or wallet accounts used to receive stolen funds, which are quickly converted into cryptocurrency. Arrests do happen, particularly of local accomplices managing these mule accounts or distributing the APKs. But the masterminds and coders, especially those offshore, remain elusive. Google has removed nearly 50 malicious apps in recent months based on reports from investigators. “Google or any other intermediary does not scrutinise every application that is being hosted on their server. Fraudsters also use mule accounts and shell identities to pay for hosting and publishing on search engines,” explained the official.
970x125
970x125
