Fake app installed on your phone: how to remove and protect bank

You probably found this page because a banking SMS just landed that you did not expect, or because a relative phoned to say “I installed an app and now the app store says my phone is compromised”. This guide is written for that exact 30-minute window. The order of steps matters more than any single step. Work through it from the top.

A phishing SMS asks you to type a password, you can refuse. A fake app, once installed and granted the wrong permissions, can read your screen, type into your banking app, accept OTPs from notifications, and hide its own icon. RBI, CERT-In and the I4C cybercrime unit have flagged this pattern repeatedly through 2024-2026. The NCRP portal has logged tens of thousands of “remote access” fraud complaints in the last 18 months alone.

The five families of fake apps you will encounter:

1. Sideloaded APKs sent over WhatsApp or Telegram, often dressed as a wedding invite, a courier slip, an electricity-bill helper, or an “income tax refund tool”
2. Remote-access apps like AnyDesk, TeamViewer QuickSupport and similar, installed at the request of a fake “bank manager” or “customs officer” who needed to “verify” something
3. Fake bank apps that mimic the real bank's name and icon, harvested from a clone listing on a third-party store
4. Fake loan apps that demand contacts and gallery access on first launch, then blackmail you with morphed photos
5. Fake government apps posing as DigiLocker, mParivahan, Income Tax, EPFO, IRCTC or a state grievance portal

The damage path is the same in each case: the app obtains accessibility service access, SMS read access, or screen-overlay permission. Once it has any one of those, it can quietly drain a bank account inside ten minutes. This is why we treat every minute as urgent.

Before you read another word, do these three things on the affected phone:

1. Slide down the notification shade and tap the airplane mode icon. This kills mobile data, Wi-Fi and SMS in one tap.
2. Yank the SIM card out if airplane mode is unreliable on your model. A paperclip will pop the tray on most phones.
3. Plug the phone in. You will need battery.

Airplane mode is the single most powerful defensive move you have. A fake app cannot exfiltrate, cannot accept push OTPs, cannot talk to its command server, and cannot relay anything to the attacker while the radios are off. Keep airplane mode on until step 6.

Read the whole plan once, then start at step 1. Do not skip steps even if you think a step does not apply.

Open Settings → Apps (Android) or Settings → General → iPhone Storage (iOS) and scroll the full list. You are looking for:

1. Any app installed in the last 48 hours that you do not remember installing
2. Any app called AnyDesk, TeamViewer, QuickSupport, AirDroid, AweSun, RustDesk, ApowerMirror, Vysor, or anything ending in “Remote”, “Mirror”, or “Support”
3. Any banking, loan or government-looking app whose publisher name you cannot recognise
4. Any app whose install source is not Google Play or App Store (Android: “App details” inside the listing will say “Installed from: package installer” or a browser name)

Take a screenshot of each suspicious entry. You will need the package name later for the cyber complaint.

Some fake apps refuse to uninstall by trapping the back-button using their accessibility service. You have to disarm them first.

1. Go to Settings → Accessibility → Installed services (Android) or Settings → Accessibility (iOS). Switch off any service belonging to the suspicious app.
2. Go to Settings → Apps → Special app access → Display over other apps and disable the suspicious app's overlay permission.
3. Go to Settings → Apps → Special app access → Device admin apps and revoke any device-admin rights the app holds. A fake app with device-admin rights can stop you uninstalling it, you must take this away first.
4. On iOS, go to Settings → General → VPN & Device Management and remove any unknown configuration profile.

Safe Mode disables every third-party app at boot. Even an app that has hidden its icon and intercepted button taps will be inert in Safe Mode. The exact key combination differs by phone:

1. Stock Android, Pixel, Motorola, Nokia: hold power, long-press “Power off” until “Reboot to safe mode” appears, tap OK.
2. Samsung Galaxy: hold power, tap and hold “Power off” until the Safe Mode icon appears.
3. Xiaomi, Redmi, POCO (HyperOS / MIUI): hold power, then volume-down at the boot logo, hold until “Safe Mode” shows in the bottom-left corner.
4. OnePlus, Realme, Oppo, Vivo: hold power and volume-down together at the boot logo.
5. iPhone: iOS does not have a Safe Mode in the Android sense. Instead, force-restart (volume up, volume down, hold side button) and uninstall the app from the home screen.

In Safe Mode, the screen will show a “Safe mode” watermark at the bottom. Open Settings → Apps → All apps, find each suspicious entry, tap Uninstall. If “Uninstall” is greyed out, the app still has device-admin rights, go back to step 2 and disable them. If a system-style fake app says “App installed by your administrator”, remove the admin policy first in Settings → Security → Device admin apps.

Reboot normally only after every flagged app is gone.

Use a second device (a spouse's phone, a parent's phone, a laptop), not the infected one. From the clean device, call your bank's 24×7 fraud number. Headline numbers as of 2026: SBI 1800 1111 09 / 1800 425 3800, HDFC 1800 258 6161, ICICI 1800 1080, Axis 1860 419 5555, PNB 1800 180 2222, Bank of Baroda 1800 5700, Kotak 1860 266 2666, Union Bank 1800 22 22 44.

Tell the operator: “I have unknowingly installed a fake app on my phone. Please freeze all debit and credit cards, disable UPI, disable net-banking and block my registered mobile number for OTP delivery pending verification. I will visit the branch in person to re-enable.” Note the service request number. Email the same instruction to the bank's grievance address as a paper trail (template at the end of this article).

If the bank refuses to freeze without an FIR, push back. The Reserve Bank of India's Customer Protection Circular DBR.No.Leg.BC.78/09.07.005/2017-18, reinforced by the Master Direction on Digital Payment Security Controls 2021, requires banks to act on a reported compromise immediately and apply the zero-liability test where the breach was not the customer's fault.

If any money has already moved or if the attacker had remote-access time on your phone (even without a confirmed debit yet), dial 1930 from the clean device. This is the National Cyber Crime Helpline run by I4C. The operator can request a temporary lien on the beneficiary account if your money was already routed. Keep your bank account number, the time of installation, and a one-line description ready.

After the call, file the written complaint at https://cybercrime.gov.in/. Choose category “Online Financial Fraud” if money moved, or “Other Cyber Crime → Suspicious App / Spyware” if no money moved yet. Upload the screenshots from step 1. Keep the NCRP acknowledgement number.

For a full minute-by-minute helpline script, jump to the 1930 helpline script. For the legal mechanics of the bank freeze, see how a bank freezes a cyber-fraud beneficiary account.

Now the bank is locked down and the cyber complaint is in. You can come off airplane mode on the affected phone, but cautiously:

1. Run Google Play Protect: open the Play Store, tap your profile picture, tap “Play Protect”, then “Scan”. Play Protect will tell you if other apps on the device are flagged as harmful. Remove anything it lists.
2. Reset your Google account password from a clean device at https://myaccount.google.com/security and sign out of all sessions.
3. Reset your Apple ID password from a clean device at https://appleid.apple.com/ and review trusted devices.
4. Check Settings → Apps → Default apps → Browser app and reset any browser hijack.
5. Check Settings → Notifications → Notification access and revoke notification-listener access from anything you do not recognise.
6. Check Settings → Apps → Permission manager → SMS and revoke SMS-read from every non-bank, non-OTP app. A fake app uses this to steal OTPs from the notification shade.

If money was lost, plan for a factory reset after the bank investigation closes (not before, because the forensic team or the cyber cell may need the evidence on the device). When you do reset, do not restore from the cloud backup until the cyber cell has confirmed it is clean. A poisoned backup will simply reinstall the fake app.

If the attacker had any window of access, assume they harvested your contacts, OTPs and SIM details. Visit a service-provider store within 24 hours and ask for an SIM lock with a personal unlock key (PUK). Optional: trigger a SIM swap with KYC re-verification so any cloned SIM the attacker may have provisioned is killed. The full process is at recover a stopped or swapped SIM.

The phone IS the evidence. Preserve these before any reset:

1. Install timestamp screenshots from Settings → Apps → [suspicious app] → App info
2. Package name (e.g. “com.fakeapp.bankhelper”) from the same screen
3. APK file on disk (Downloads / Files app), copied to USB; do not open
4. WhatsApp / Telegram / SMS thread from whoever sent the install link, with sender number
5. Call log entries for any number that asked you to install AnyDesk / TeamViewer or read out an OTP
6. Bank debit SMS with UTR / RRN visible
7. Net-banking login alerts, even if no money moved
8. Photo of the home screen showing the suspicious icon (or its absence after auto-hide)
9. Date and exact time you noticed the fraud, written on paper
10. APK file hash using any free tool

Email these to yourself as a single captioned PDF before any reset. Many victims lose their case at this step.

The Indian system is multi-channel by design. File on the relevant channels in this order:

1. 1930 helpline within the golden hour for any financial loss. Details: 1930 helpline script.
2. NCRP portal at https://cybercrime.gov.in/ within 24 hours, even if no money moved (for evidence on the federal database).
3. Local police cyber cell with FIR if the loss exceeds ₹50,000 or if identity theft has occurred. See “When cyber/police is needed” below.
4. Sanchar Saathi → Chakshu at https://sancharsaathi.gov.in/ to report the suspicious SMS, WhatsApp message or call that delivered the install link. This routes to the Department of Telecommunications and can blacklist the sending number.
5. CERT-In Vulnerability Disclosure at https://www.cert-in.org.in/ if the fake app was distributed at scale (e.g. you saw three relatives hit the same week with the same APK). CERT-In can issue an advisory.
6. Google Play Protect report if the app came from Play, via Play Store → app listing → three-dot menu → “Flag as inappropriate”.
7. Apple App Store report at https://reportaproblem.apple.com/ for an iOS impostor app.
8. Bank ombudsman at https://cms.rbi.org.in/ if the bank refuses to honour zero-liability after 30 days. RBI's Integrated Ombudsman Scheme 2021 applies.
9. DPDP Data Principal complaint to the relevant Data Protection Board if a fake loan app misused contacts or photos (DPDP Act 2023, §13 grievance redressal).

The legal handles:

1. Information Technology Act 2000, §43: civil compensation for unauthorised access
2. IT Act §66: criminal penalty for the same
3. IT Act §66C: identity theft (uses of password, electronic signature, unique ID)
4. IT Act §66D: cheating by personation using a computer resource
5. IT Act §66E: violation of privacy (covers the image-blackmail variant of fake loan apps)
6. Bharatiya Nyaya Sanhita 2023 §318: cheating, the BNS section that replaced IPC §420 from 1 July 2024
7. BNS §319: cheating by personation, replaces IPC §416/§419
8. BNS §336: forgery of electronic record
9. Bharatiya Nagarik Suraksha Sanhita 2023 §173: registration of FIR for cognisable offences
10. RBI Digital Lending Guidelines 2022 for fake-loan-app cases: only entities listed in the RBI app-registry can lend; any other app is illegal on its face
11. DPDP Act 2023 §17 and §18: penalties for processing personal data without consent

You should always file the NCRP complaint. You additionally need an FIR at a police station or cyber-crime cell when any of these is true:

1. The loss is ₹50,000 or above
2. You have evidence of identity theft (Aadhaar / PAN / driving licence misuse, not just a card debit)
3. The fake app is a loan-app with extortion or morphed-image blackmail, in which case BNS §351 (criminal intimidation), §296 (obscene acts) and IT Act §67/§67A may apply
4. The bank refuses to act, an FIR forces the bank's hand
5. Multiple people in your family or housing-society WhatsApp group were hit with the same APK, this is a chargeable conspiracy
6. Children or senior citizens were the targets, special-category offences attract higher punishment under BNS §111 (organised crime) and §112 (petty organised crime) when the modus is repeated

Go to the cyber-crime station nearest you, not the one nearest the fraudster, jurisdiction is now decided by the victim's location for cyber offences. Carry every item from the evidence checklist. Ask for a certified copy of the FIR under §173(2) BNSS, you will need it for bank, insurance and any RTI follow-ups.

If the cyber cell refuses to register the FIR, file an RTI on the police station seeking the General Diary entry and the station-house officer's reasons in writing. The complete playbook is at the citizen RTI playbook. RTI is not for fishing, it is for accountability after a refusal.

Copy this template into your email, fill the bracketed fields, send to the bank's grievance address (printed inside the bank app under “Help” and on the bank's official website). Always email even after a phone call, the phone call leaves no paper trail.

To: grievance@[yourbank].co.in
Cc: nodalofficer@[yourbank].co.in
Subject: URGENT: Fraud-suspect app installed on registered mobile - freeze all channels - account ending [last 4 digits]

Sir/Madam,

I am the registered account holder of savings/current account ending [last 4 digits] linked to mobile [10-digit number]. At approximately [HH:MM IST] on [DD MMM 2026] I unknowingly installed a suspicious app on my phone (package name [com.example.fakeapp], install source [Play / sideload / WhatsApp link]). Based on the indicators described below, I believe my UPI, debit card, credit card and net-banking channels are at imminent risk.

I have placed the device on airplane mode and uninstalled the app via Safe Mode. I have not yet performed a factory reset, as I am preserving the device as evidence.

I request the bank, under the Master Direction on Digital Payment Security Controls 2021 and the customer-protection circular DBR.No.Leg.BC.78/09.07.005/2017-18, to:

1. Immediately freeze all debit and credit cards on the account
2. Disable UPI on all VPAs linked to this account
3. Disable internet banking and mobile banking access pending in-branch verification
4. Block OTP delivery on the registered mobile number for the next 72 hours
5. Apply a hold on any pending high-value transactions in the last 24 hours
6. Acknowledge this email within 24 hours with a complaint reference number

The relevant cybercrime complaint number is [NCRP ack number] and the 1930 call reference is [1930 reference]. I have also filed the suspicious-communication report on Sanchar Saathi / Chakshu (reference [Chakshu ref]).

If money has been debited, I am invoking the zero-liability framework. The breach falls within "third-party breach where the deficiency lies neither with the bank nor with the customer" (RBI definition) and I am notifying you within the maximum window prescribed.

Please confirm in writing the actions taken and the timeline.

Yours faithfully,
[Full name]
[Account holder]
[Date]
[Place]

Send a copy to your own personal email and save the read-receipt. If the bank does not respond within 24 hours, forward the same email to the bank's Principal Nodal Officer (address is on the bank website under “Customer Grievance Redressal”), copying the RBI CMS portal address from https://cms.rbi.org.in/.

For the full bank-freeze legal mechanics, see the bank-freeze process and the golden-hour zero-liability rule. If a lien has already been placed on your account because you were the receiving end of a separate fraud, the page how to get a bank lien removed explains the unfreeze route. The acknowledgement-decoding helper sits at NCRP acknowledgement and bank-lien decoder.

1. Factory-resetting before evidence capture. The phone is the only artefact a forensic lab can examine. Reset only after the bank or cyber cell green-lights it.
2. Replying to the fraudster to “tell them off”, this confirms the number is live and you are the right person.
3. Reinstalling the same app to “check what it does”. Do not. The behaviour is sometimes triggered only on first launch.
4. Trusting a “tech-savvy cousin” with the phone. They mean well, they wipe the forensic trail. Wait for the bank or cyber cell.
5. Using the infected phone for netbanking from the browser. The device is compromised. Use a clean device.
6. Restoring an old backup without checking install dates. A backup taken after the install contains the fake app. Pick a backup from before.
7. Skipping the NCRP filing because “no money moved”. The complaint is the federal evidence record and links your case to wider gangs.
8. Calling the number that “the fraudster's bank sent” to verify your refund. Second-stage scam. The real bank never asks for refund codes over the phone.
9. Paying a fake “cybercrime lawyer” who DMs you on Instagram. There is no private recovery service. Official channels are free.
10. Ignoring the SIM. The attacker can clone your number and start step two. Always do step 7.

The two takeaways: speed in the first hour, and refusal to factory-reset before evidence capture.

If an app asks for any two of these on first launch, treat it as malicious until proven otherwise: accessibility service, display over other apps, SMS read and send, notification access, device admin, install unknown apps, contacts and call logs, all-files storage access, or run in background / ignore battery optimisation. A legitimate bank app asks for exactly one (SMS, for OTP autofill) and says so upfront. Government apps like DigiLocker, mParivahan or IRCTC will not ask for accessibility or display-over-other-apps. The deep dive on each permission is at app permissions: camera, contacts, SMS, location explained.

If you tapped “Sign in with Google” or “Sign in with Apple” inside the fake app, revoke the OAuth permission at https://myaccount.google.com/permissions or via Apple ID → Sign in with Apple, sign out of all sessions, and inspect Gmail forwarding rules (attackers often plant a silent forward to siphon OTPs from email). Full recovery routes are at recover a locked Google, Apple, Meta or Microsoft account.

Probably not. Many fake apps install a second-stage payload that survives the visible app's uninstall, especially on rooted Android or on phones with install unknown apps turned on. Run Play Protect and confirm with a Safe Mode reboot that no unfamiliar app remains. If money moved at any point, still file the NCRP complaint, the digital trail does not vanish when the icon vanishes.

Yes. Many fake apps run a background service the moment they are installed, especially those with accept install permissions flagged. They will exfiltrate contacts, SMS history and stored photos without ever showing a UI. Airplane mode is the only one-tap kill switch you have.

Not until the bank acknowledges your freeze in writing and either the cyber cell has copied the evidence off the device or has formally said they do not need it. The phone is your single best piece of evidence. Reset destroys it. After clearance, do reset, and choose “Set up as new” not “Restore from backup”.

Yes. No bank, anywhere, ever asks you to install AnyDesk, TeamViewer, QuickSupport or any remote-control app to verify anything. This is one of the single most common modus operandi flagged by RBI's “BE(A)WARE” booklet and reissued in CERT-In advisories every quarter. Treat it as confirmed fraud: airplane mode, uninstall, call bank, dial 1930. The fact that the caller knew your name or last four digits is not proof they are the bank, that data is leaked routinely.

This is the fake-loan-app blackmail pattern, covered by BNS §308 (extortion), §351 (criminal intimidation) and IT Act §66E (privacy). Do not pay, payment escalates demands. Keep message screenshots, file an FIR at the cyber cell, report the calling number on Sanchar Saathi, block the number, and proactively message your contacts about what they may receive. MHA's 2024 advisory confirms the police are equipped to handle the disclosure side.

Not automatically. The Reserve Bank's zero-liability framework requires the customer to notify the bank within three working days of the unauthorised transaction. If you do, and the breach is found to be a third-party breach where neither bank nor customer was negligent, the customer's liability is zero. If you notify between four and seven working days, your liability is capped at ₹10,000-₹25,000 depending on the account type. After seven working days, the bank's internal policy decides. Speed is everything. The mechanics are explained at the golden-hour zero-liability rule.

You need to worry about fake configuration profiles, fake “Sign in with Apple” prompts inside web pages, fake App Store listings (Apple has removed thousands of fake bank apps but a few slip in), and fake TestFlight builds shared by link. iOS does not allow sideloading APKs the way Android does, but a malicious Safari profile or a phished Apple ID gives the attacker enough leverage. Steps 0, 2, 4, 5 of the plan apply identically. The iOS-specific cleanup is in step 2 (remove unknown configuration profile under Settings → General → VPN & Device Management).

Sort the app list by install date (Settings → Apps → Sort → “First installed”) and check the install source for each app from the last week. Run Play Protect. If still inconclusive, boot into Safe Mode, if the weird behaviour stops, a third-party app is the cause and you are looking at the right list. As a last resort, take the phone to a registered service centre and ask for a logcat extract under formal complaint.

The bank will argue that reading out an OTP is a customer-side breach, which moves you from zero-liability to limited-liability. The counter-argument: you were deceived by an attacker impersonating the bank using cheating by personation (BNS §319 + IT Act §66D). Banks and the RBI Ombudsman have repeatedly held that social-engineered OTP disclosure under impersonation is a third-party breach where the customer's negligence is mitigated by the deception. File the NCRP and the bank complaint, and if the bank denies the refund, file with the Banking Ombudsman under the Integrated Ombudsman Scheme 2021. Many ombudsman orders have gone in the customer's favour since 2023.

Five permanent settings on the affected phone, applied once, hold for years: turn off Install unknown apps for every source under Settings → Security; keep Play Protect enabled and scheduled; review Accessibility services monthly and leave only the apps that genuinely need it (TalkBack, password managers); review Notification access every quarter; and inside your bank app, enable per-day and per-beneficiary transaction limits so any single fraud is capped. Tell every family member about steps 0 through 7. The single biggest predictor of “Will this person get caught” is whether they have read a guide like this one before the call.

The site's auto-schema layer (`/static/js/schema-auto.js`) reads the `==== Q ====` H4 headings and emits a valid `FAQPage` JSON-LD into the rendered head. Do not paste inline JSON-LD, it renders as visible code.

1. CERT-In Cyber Security Advisories, https://www.cert-in.org.in/
2. Indian Cybercrime Coordination Centre (I4C) NCRP portal, https://cybercrime.gov.in/
3. 1930 helpline, 24×7 National Cyber Crime Helpline
4. Sanchar Saathi (Chakshu), https://sancharsaathi.gov.in/ for reporting suspicious communications
5. Reserve Bank of India Master Direction on Digital Payment Security Controls 2021
6. RBI Customer Protection Circular DBR.No.Leg.BC.78/09.07.005/2017-18 on zero liability
7. RBI Guidelines on Digital Lending 2022, https://www.rbi.org.in/
8. Google Play Protect documentation, https://developers.google.com/android/play-protect
9. Apple App Store Review Guidelines, https://developer.apple.com/app-store/review/guidelines/
10. Information Technology Act 2000, with §43, §66, §66C, §66D, §66E
11. Bharatiya Nyaya Sanhita 2023, §318 (cheating), §319 (cheating by personation), §336 (forgery of electronic record), §308 (extortion), §351 (criminal intimidation)
12. Bharatiya Nagarik Suraksha Sanhita 2023, §173 (FIR for cognisable offences)
13. Digital Personal Data Protection Act 2023, §13 grievance redressal, §17, §18 penalties
14. RBI Integrated Ombudsman Scheme 2021, https://cms.rbi.org.in/

1. 1930 cyber fraud helpline: the exact 7-minute script
2. Golden-hour zero-liability rule explained
3. How a bank freezes a fraud beneficiary account
4. Bank lien on your account: how to get it removed
5. Decoding the NCRP acknowledgement and the bank-lien notice
6. SIM card stopped or swapped: KYC recovery walkthrough
7. App permissions explained: camera, contacts, SMS, location
8. Account locked on Google, Apple, Meta or Microsoft: recovery routes
9. The citizen RTI playbook

Editorial illustration, 1200x630, flat vector style, muted indigo and saffron palette. A smartphone in the centre, screen showing a generic banking app icon with a thin warning ring around it. Behind the phone, a faint silhouette of a hooded figure receding into a grid pattern of permission toggles (accessibility, SMS, overlay). Top-right corner: an airplane-mode icon glowing softly. Bottom-left: a small lock icon over a generic bank card silhouette. No real bank logos. No real person likenesses. No text on the image. Style: calm, instructional, public-information-poster feel, not horror. Slight grain for a print-poster quality.

This guide is published by the RTI Wiki editorial team for general public education. It is not legal advice. For your specific situation, consult a qualified lawyer or a registered cyber-crime cell.