Fake APK App Installation Scam India — Detection, Cleanup, Recovery (2026)

“Wedding card_invitation.apk”, “Electricity_bill.apk”, “KYC_update.apk”, “Income_tax_notice.apk” — these are the highest-volume Android trojans circulating on WhatsApp in 2026. They spawn an invisible window that intercepts every OTP, takes over WhatsApp, and drains UPI in minutes. This page tells you how to detect installation, clean the device safely, and recover under RBI rules.

Citizen Crisis Response Network — APK rule
Never install a ``.apk`` file received over WhatsApp, Telegram, email, or SMS — even if it appears to come from a relative. All legitimate Indian apps live on the Play Store / App Store / banks' verified domains.

If you installed a ``.apk`` file received over WhatsApp / email / Telegram / SMS in India: (1) immediately switch the phone to airplane mode, (2) revoke Accessibility Service permission for any unknown app via Settings → Accessibility, (3) uninstall the suspicious app + factory-reset the phone after backing up only photos and contacts, (4) call 1930 and file at cybercrime.gov.in if any banking activity is suspected, (5) change net-banking + email + WhatsApp passwords from a different device, and (6) email your bank within 24 hours under RBI's 2017 framework. Recovery probability is highest within the first 90 minutes.

• How the fake APK scam runs
• Detect a trojan in 60 seconds
• The 30-minute cleanup drill
• Factory-reset done right
• If money was already taken
• Sample report to bank
• What not to do
• Can compensation be claimed?
• FAQ

1. Bait — A WhatsApp / Telegram message from a “relative” or “official source” with a file: ``Wedding_invitation_<name>.apk``, ``Electricity_bill_august.apk``, ``IRCTC_refund.apk``, ``Income_tax_notice.apk``, ``EPF_balance.apk``.
2. Install — The file installs from “Unknown sources” and asks for Accessibility Service + SMS read + notifications + install other apps permissions.
3. Hide — The icon is sometimes invisible (no launcher entry); the trojan listens silently.
4. Capture — Every banking SMS, every OTP, every WhatsApp 6-digit code is forwarded to the attacker.
5. Drain — UPI added to a new device; WhatsApp account hijacked; net-banking accessed; pre-approved loans drawn instantly.

The defining permission ask: Accessibility Service. No legitimate non-screen-reader app needs it.

1. Settings → Accessibility → check the list of apps with Accessibility Service enabled. Any app you don't recognise = revoke immediately.
2. Settings → Apps → list all installed apps; sort by date. Anything installed in the last 7-14 days that you don't recognise = uninstall.
3. Settings → Notifications → notification access; revoke any app you don't recognise.
4. Settings → Special access → Install unknown apps → revoke for every app except your trusted browser.
5. Settings → SMS & RCS → default SMS app; ensure it's the system default, not a sideloaded app.

If even one suspicious entry appears, treat the device as compromised and run the cleanup drill below.

1. Airplane mode — cuts the trojan's outbound traffic immediately
2. From another device:
   • Change net-banking password (your bank's website)
   • Change email password + revoke active sessions
   • Change WhatsApp 2-step verification PIN; sign out of WhatsApp Web sessions
   • De-register UPI on every UPI app (PhonePe / GPay / Paytm / BHIM)
   • Block debit card via the bank app
3. Original device, still in airplane mode:
   • Settings → Accessibility → disable / revoke all unknown apps
   • Settings → Apps → uninstall the suspicious APK
   • If you can't uninstall (some trojans use Device Admin), Settings → Security → Device Admin Apps → revoke first, then uninstall
4. Factory reset — only after backups of photos / contacts to a clean storage (not Google account from this device)
5. Reach 1930 — within 90 minutes if any banking activity is suspected
6. File at cybercrime.gov.in with the APK file (zip it; many anti-virus engines will fingerprint it)
7. Alert WhatsApp contacts — the trojan often forwards itself to your contacts; tell them to delete

1. Backup safely:
   • Photos / videos → upload to a separate cloud account (NOT the Google account currently on the device)
   • Contacts → export to .vcf and store in a clean location
   • Do not back up apps + data via Google Backup — the trojan persists in the backup
2. Sign out of all accounts (Google, Samsung / Xiaomi / OnePlus, banking apps)
3. Settings → System → Reset → Erase all data (factory reset) with the encryption option
4. Restart; do NOT restore from the prior backup
5. Set up fresh — install only Play Store / App Store apps; bank apps from official domains
6. Re-enable WhatsApp with the duplicate SIM (or current SIM if not swapped); set 2-step PIN
7. Pull your CIBIL — confirm no fraudulent loans

If banking activity has occurred between installation and detection:

• 0–3 working days reporting → zero customer liability under RBI Master Direction 2017
• 4–7 working days → capped customer liability (₹5,000 – ₹25,000)
• Beyond 7 days → bank's board policy

Steps:

1. Call 1930 (golden hour matters)
2. File at cybercrime.gov.in
3. Email bank's “report unauthorised transaction” with: time of APK install, time of transactions, 1930 reference, factory-reset confirmation
4. Demand temporary credit within 10 working days; resolution within 90 days
5. Banking Ombudsman at cms.rbi.org.in if bank stalls

To,
The Branch Manager,
[Bank Name], [Branch], [City]

Subject: Unauthorised debit / banking trojan via .apk install — A/C
[last 4 digits] — request for refund under RBI Master Direction 2017

Sir / Madam,

I, [Full name], holder of Savings A/C [number], wish to report
unauthorised debit(s) totalling ₹[amount] on [date] at approximately
[time], arising from a malicious Android Application Package (.apk)
that I installed in good faith on [date] at [time].

Transactions affected:

[Date] [Time] [UTR / Ref] [Amount] [Beneficiary]
...

Actions already taken:
  1. Airplane mode + accessibility revocation + factory reset
  2. Net-banking + email + WhatsApp passwords reset
  3. Debit card blocked
  4. 1930 complaint (Reference: ___)
  5. cybercrime.gov.in submission (Reference: ___)
  6. CIBIL report pulled (Reference: ___)

I report within ___ working day(s) of the unauthorised debit. Per RBI's
Master Direction on Limiting Liability of Customers, 2017, my liability
is [Zero / capped at ₹5,000]. I request you to:
  a) Credit a temporary / shadow amount within 10 working days.
  b) Resolve the dispute within 90 days.
  c) Reply in writing.

Yours faithfully,
[Signature, Name, Date, Phone, Email]

• Do not install an APK received over any messaging platform — even from a known relative whose phone may itself be compromised.
• Do not grant Accessibility Service to any app that isn't a screen-reader, automation tool you trust, or a password manager you've vetted.
• Do not restore from a backup taken after the suspicious install — the trojan persists.
• Do not rely on antivirus alone to clean a banking trojan; factory reset is the only sure cleanup.
• Do not delay reporting out of embarrassment — the RBI 3-day window is strict.

• Bank refund — RBI Master Direction 2017 (zero liability if reported within 3 working days)
• Banking Ombudsman — RB-IOS 2021 if bank stalls; cms.rbi.org.in
• Consumer court — for negligence (e.g., bank ignored fraud-monitoring alerts)
• TRAI / Sancharsaathi action against the WhatsApp number / DLT (where applicable)
• CERT-In incident report — for serious cases; helps community-wide blacklisting

1. 0–2 min — Airplane mode
2. 2–10 min — From another device: net-banking pwd + email + WhatsApp PIN reset; debit card block
3. 10–20 min — Revoke Accessibility / Notification access; uninstall suspect app
4. 20–30 min — Factory reset after photos / contacts backup
5. +90 min — 1930 call; cybercrime.gov.in file
6. +24 h — Bank “report unauthorised transaction” email
7. +72 h — RBI 3-day window

fake APK scam India 2026, wedding card APK virus, banking trojan India recovery, WhatsApp APK fraud, accessibility service trojan, factory reset banking trojan, IRCTC APK scam, EPF APK trojan, Income Tax APK fake, KYC APK fraud

• Q: Can iPhone get the same APK trojan?
  APK is Android-only. iOS has its own scams (configuration profiles, fake App Store links) but not APK trojans.
• Q: Is uninstalling enough or do I need factory reset?
  Factory reset is the only sure cleanup. Some trojans persist in system folders or Device Admin.
• Q: What is “Accessibility Service” abuse?
  Accessibility was designed for screen-readers; trojans abuse it to read every screen, type taps, and intercept inputs. Almost every banking trojan asks for it.
• Q: Can the trojan steal my photos / contacts?
  Yes — and forward itself to your WhatsApp contacts. Treat the data as exposed.
• Q: Will the bank believe me without proof of trojan?
  Yes — RBI 2017 framework doesn't require forensic proof, only timely reporting + reasonable explanation.

“Wedding card APK scam.” · “How to remove banking trojan Android?” · “Factory reset after fake KYC APK.” · “WhatsApp APK virus.” · “IRCTC APK fake.”

[Anatomy] "Banking-trojan APK chain"
1. WhatsApp file (wedding/bill APK)
2. Install + accessibility service
3. SMS + OTP + notification capture
4. UPI added to attacker device
5. Drain → mule accounts → crypto

[Cleanup ladder]
airplane mode → revoke accessibility → uninstall → factory reset → fresh setup
                                            └─ from another device: pwd resets

[Comparison table] "Symptoms of trojan"
- random low battery + heat (background)
- contacts get suspicious WhatsApp from your number
- OTP SMS arrives but you didn't request
- bank app shows unfamiliar device

• Fake KYC update scam
• Fake police notice PDF scam
• Block lost / stolen SIM
• Social media hijack recovery
• UPI fraud recovery
• Fake Aadhaar update fraud
• Banking Ombudsman complaint guide
• Money sent to wrong account

• CERT-In — cert-in.org.in (advisories, incident reporting)
• MHA — I4C — cybercrime.gov.in · 1930
• DoT — Sancharsaathi → Chakshu for WhatsApp / SMS source reporting
• PIB Fact Check — factcheck.pib.gov.in
• RBI Master Direction on Limiting Liability of Customers, 2017
• Banking Ombudsman — cms.rbi.org.in
• BNS 2024 §316 (personation), §319 (cheating), §336–§338 (forgery)
• IT Act 2000 §43 (computer damage), §66 (computer offences), §66C, §66D, §66F

++++ How does an APK send my SMS to attackers? | With SMS-read permission + Accessibility, the trojan reads every incoming SMS and forwards via HTTPS to its command server. ++++

++++ Will a Play Protect scan catch it? | Sometimes yes (the well-known families) and sometimes no (custom trojans). Don't rely on Play Protect; rely on never installing an APK from chat. ++++

++++ My phone is fine — should I still factory-reset? | If you only opened the file but didn't install, no. If you installed and granted permissions, yes — it's the only certain cleanup. ++++

++++ Can the trojan affect my computer? | Not directly, but credentials it captured (email, banking) work on any device. ++++

++++ How fast does the bank refund? | Shadow / temporary credit within 10 working days; full resolution within 90 days. RB-IOS escalates if delayed. ++++

The APK scam trades on one habit: tapping a file because someone you trust sent it. The fix is simple — install apps only from the Play Store / App Store / your bank's verified domain, never from chat. If you've already installed, the cleanup drill on this page closes the window before the trojan finishes its second job (hijacking your social accounts to spread itself). Share this page with anyone over 50 — they are the most-targeted demographic.

This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through CERT-In bulletins, MHA / I4C advisories, and RBI press releases.