Differences
This shows you the differences between two versions of the page.
| — | fake-apk-installation-scam-india [2026/07/10 23:32] (current) – created - external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Fake APK App Installation Scam India — Detection, Cleanup, Recovery (2026) ====== | ||
| + | {{htmlmetatags> | ||
| + | {{htmlmetatags> | ||
| + | |||
| + | " | ||
| + | |||
| + | > **Citizen Crisis Response Network — APK rule**\\ **Never** install a ``.apk`` file received over WhatsApp, Telegram, email, or SMS — even if it appears to come from a relative. All legitimate Indian apps live on the Play Store / App Store / banks' verified domains. | ||
| + | |||
| + | ===== Direct answer (featured snippet) ===== | ||
| + | |||
| + | If you installed a ``.apk`` file received over WhatsApp / email / Telegram / SMS in India: (1) immediately switch the phone to **airplane mode**, (2) revoke **Accessibility Service** permission for any unknown app via Settings → Accessibility, | ||
| + | |||
| + | ===== In this guide ===== | ||
| + | |||
| + | * [[#How the fake APK scam runs|How the fake APK scam runs]] | ||
| + | * [[#Detect a trojan in 60 seconds|Detect a trojan in 60 seconds]] | ||
| + | * [[#The 30-minute cleanup drill|The 30-minute cleanup drill]] | ||
| + | * [[# | ||
| + | * [[#If money was already taken|If money was already taken]] | ||
| + | * [[#Sample report to bank|Sample report to bank]] | ||
| + | * [[#What not to do|What not to do]] | ||
| + | * [[#Can compensation be claimed? | ||
| + | * [[# | ||
| + | |||
| + | ===== How the fake APK scam runs ===== | ||
| + | |||
| + | - **Bait** — A WhatsApp / Telegram message from a " | ||
| + | - **Install** — The file installs from " | ||
| + | - **Hide** — The icon is sometimes invisible (no launcher entry); the trojan listens silently. | ||
| + | - **Capture** — Every banking SMS, every OTP, every WhatsApp 6-digit code is forwarded to the attacker. | ||
| + | - **Drain** — UPI added to a new device; WhatsApp account hijacked; net-banking accessed; pre-approved loans drawn instantly. | ||
| + | |||
| + | The defining permission ask: **Accessibility Service**. No legitimate non-screen-reader app needs it. | ||
| + | |||
| + | ===== Detect a trojan in 60 seconds ===== | ||
| + | |||
| + | - Settings → **Accessibility** → check the list of apps with Accessibility Service enabled. Any app you don't recognise = revoke immediately. | ||
| + | - Settings → **Apps** → list all installed apps; sort by date. Anything installed in the last 7-14 days that you don't recognise = uninstall. | ||
| + | - Settings → **Notifications** → notification access; revoke any app you don't recognise. | ||
| + | - Settings → **Special access** → **Install unknown apps** → revoke for **every** app except your trusted browser. | ||
| + | - Settings → **SMS & RCS** → default SMS app; ensure it's the system default, not a sideloaded app. | ||
| + | |||
| + | If even one suspicious entry appears, treat the device as compromised and run the cleanup drill below. | ||
| + | |||
| + | ===== The 30-minute cleanup drill ===== | ||
| + | |||
| + | - **Airplane mode** — cuts the trojan' | ||
| + | - From **another device**: | ||
| + | * Change net-banking password (your bank's website) | ||
| + | * Change email password + revoke active sessions | ||
| + | * Change WhatsApp 2-step verification PIN; sign out of WhatsApp Web sessions | ||
| + | * De-register UPI on every UPI app (PhonePe / GPay / Paytm / BHIM) | ||
| + | * Block debit card via the bank app | ||
| + | - **Original device, still in airplane mode**: | ||
| + | * Settings → Accessibility → disable / revoke all unknown apps | ||
| + | * Settings → Apps → uninstall the suspicious APK | ||
| + | * If you can't uninstall (some trojans use Device Admin), Settings → Security → Device Admin Apps → revoke first, then uninstall | ||
| + | - **Factory reset** — only after backups of photos / contacts to a clean storage (not Google account from this device) | ||
| + | - **Reach 1930** — within 90 minutes if any banking activity is suspected | ||
| + | - **File at cybercrime.gov.in** with the APK file (zip it; many anti-virus engines will fingerprint it) | ||
| + | - **Alert WhatsApp contacts** — the trojan often forwards itself to your contacts; tell them to delete | ||
| + | |||
| + | ===== Factory-reset done right ===== | ||
| + | |||
| + | - **Backup safely**: | ||
| + | * Photos / videos → upload to a separate cloud account (NOT the Google account currently on the device) | ||
| + | * Contacts → export to .vcf and store in a clean location | ||
| + | * Do **not** back up apps + data via Google Backup — the trojan persists in the backup | ||
| + | - **Sign out** of all accounts (Google, Samsung / Xiaomi / OnePlus, banking apps) | ||
| + | - Settings → System → Reset → **Erase all data (factory reset)** with the encryption option | ||
| + | - **Restart**; | ||
| + | - **Set up fresh** — install only Play Store / App Store apps; bank apps from official domains | ||
| + | - **Re-enable WhatsApp** with the duplicate SIM (or current SIM if not swapped); set 2-step PIN | ||
| + | - **Pull your CIBIL** — confirm no fraudulent loans | ||
| + | |||
| + | ===== If money was already taken ===== | ||
| + | |||
| + | If banking activity has occurred between installation and detection: | ||
| + | * **0–3 working days reporting** → zero customer liability under RBI Master Direction 2017 | ||
| + | * **4–7 working days** → capped customer liability (₹5,000 – ₹25,000) | ||
| + | * **Beyond 7 days** → bank's board policy | ||
| + | |||
| + | Steps: | ||
| + | - Call **1930** (golden hour matters) | ||
| + | - File at cybercrime.gov.in | ||
| + | - Email bank's " | ||
| + | - Demand temporary credit within 10 working days; resolution within 90 days | ||
| + | - **Banking Ombudsman** at cms.rbi.org.in if bank stalls | ||
| + | |||
| + | ===== Sample report to bank ===== | ||
| + | |||
| + | < | ||
| + | To, | ||
| + | The Branch Manager, | ||
| + | [Bank Name], [Branch], [City] | ||
| + | |||
| + | Subject: Unauthorised debit / banking trojan via .apk install — A/C | ||
| + | [last 4 digits] — request for refund under RBI Master Direction 2017 | ||
| + | |||
| + | Sir / Madam, | ||
| + | |||
| + | I, [Full name], holder of Savings A/C [number], wish to report | ||
| + | unauthorised debit(s) totalling ₹[amount] on [date] at approximately | ||
| + | [time], arising from a malicious Android Application Package (.apk) | ||
| + | that I installed in good faith on [date] at [time]. | ||
| + | |||
| + | Transactions affected: | ||
| + | |||
| + | [Date] [Time] [UTR / Ref] [Amount] [Beneficiary] | ||
| + | ... | ||
| + | |||
| + | Actions already taken: | ||
| + | 1. Airplane mode + accessibility revocation + factory reset | ||
| + | 2. Net-banking + email + WhatsApp passwords reset | ||
| + | 3. Debit card blocked | ||
| + | 4. 1930 complaint (Reference: ___) | ||
| + | 5. cybercrime.gov.in submission (Reference: ___) | ||
| + | 6. CIBIL report pulled (Reference: ___) | ||
| + | |||
| + | I report within ___ working day(s) of the unauthorised debit. Per RBI's | ||
| + | Master Direction on Limiting Liability of Customers, 2017, my liability | ||
| + | is [Zero / capped at ₹5,000]. I request you to: | ||
| + | a) Credit a temporary / shadow amount within 10 working days. | ||
| + | b) Resolve the dispute within 90 days. | ||
| + | c) Reply in writing. | ||
| + | |||
| + | Yours faithfully, | ||
| + | [Signature, Name, Date, Phone, Email] | ||
| + | </ | ||
| + | |||
| + | ===== What not to do ===== | ||
| + | |||
| + | * Do **not** install an APK received over any messaging platform — even from a known relative whose phone may itself be compromised. | ||
| + | * Do **not** grant Accessibility Service to any app that isn't a screen-reader, | ||
| + | * Do **not** restore from a backup taken **after** the suspicious install — the trojan persists. | ||
| + | * Do **not** rely on antivirus alone to clean a banking trojan; factory reset is the only sure cleanup. | ||
| + | * Do **not** delay reporting out of embarrassment — the RBI 3-day window is strict. | ||
| + | |||
| + | ===== Can compensation be claimed? ===== | ||
| + | |||
| + | * **Bank refund** — RBI Master Direction 2017 (zero liability if reported within 3 working days) | ||
| + | * **Banking Ombudsman** — RB-IOS 2021 if bank stalls; cms.rbi.org.in | ||
| + | * **Consumer court** — for negligence (e.g., bank ignored fraud-monitoring alerts) | ||
| + | * **TRAI / Sancharsaathi** action against the WhatsApp number / DLT (where applicable) | ||
| + | * **CERT-In incident report** — for serious cases; helps community-wide blacklisting | ||
| + | |||
| + | ===== What to do in the next 30 minutes (printable card) ===== | ||
| + | |||
| + | - **0–2 min** — Airplane mode | ||
| + | - **2–10 min** — From another device: net-banking pwd + email + WhatsApp PIN reset; debit card block | ||
| + | - **10–20 min** — Revoke Accessibility / Notification access; uninstall suspect app | ||
| + | - **20–30 min** — Factory reset after photos / contacts backup | ||
| + | - **+90 min** — 1930 call; cybercrime.gov.in file | ||
| + | - **+24 h** — Bank " | ||
| + | - **+72 h** — RBI 3-day window | ||
| + | |||
| + | ===== Long-tail keywords this page targets ===== | ||
| + | |||
| + | fake APK scam India 2026, wedding card APK virus, banking trojan India recovery, WhatsApp APK fraud, accessibility service trojan, factory reset banking trojan, IRCTC APK scam, EPF APK trojan, Income Tax APK fake, KYC APK fraud | ||
| + | |||
| + | ===== People also ask ===== | ||
| + | |||
| + | * **Q:** Can iPhone get the same APK trojan?\\ APK is Android-only. iOS has its own scams (configuration profiles, fake App Store links) but not APK trojans. | ||
| + | * **Q:** Is uninstalling enough or do I need factory reset?\\ Factory reset is the only sure cleanup. Some trojans persist in system folders or Device Admin. | ||
| + | * **Q:** What is " | ||
| + | * **Q:** Can the trojan steal my photos / contacts?\\ Yes — and forward itself to your WhatsApp contacts. Treat the data as exposed. | ||
| + | * **Q:** Will the bank believe me without proof of trojan?\\ Yes — RBI 2017 framework doesn' | ||
| + | |||
| + | ===== Voice-search queries ===== | ||
| + | |||
| + | " | ||
| + | |||
| + | ===== SVG / infographic prompts ===== | ||
| + | |||
| + | < | ||
| + | [Anatomy] " | ||
| + | 1. WhatsApp file (wedding/ | ||
| + | 2. Install + accessibility service | ||
| + | 3. SMS + OTP + notification capture | ||
| + | 4. UPI added to attacker device | ||
| + | 5. Drain → mule accounts → crypto | ||
| + | |||
| + | [Cleanup ladder] | ||
| + | airplane mode → revoke accessibility → uninstall → factory reset → fresh setup | ||
| + | └─ from another device: pwd resets | ||
| + | |||
| + | [Comparison table] " | ||
| + | - random low battery + heat (background) | ||
| + | - contacts get suspicious WhatsApp from your number | ||
| + | - OTP SMS arrives but you didn't request | ||
| + | - bank app shows unfamiliar device | ||
| + | </ | ||
| + | |||
| + | |||
| + | ===== If the formal channel fails, escalate via RTI ===== | ||
| + | |||
| + | <WRAP center round info 100%> | ||
| + | If this complaint isn't resolved through the regular complaint route, you can file an **RTI** to force the public authority to either act or explain in writing why they haven' | ||
| + | |||
| + | * Draft your application: | ||
| + | * Calculate timelines: [[https:// | ||
| + | * If PIO doesn' | ||
| + | * If PIO rejects without reason: [[https:// | ||
| + | * Sample applications: | ||
| + | </ | ||
| + | |||
| + | ===== Internal cross-links ===== | ||
| + | |||
| + | * [[fake-kyc-update-scam-india|Fake KYC update scam]] | ||
| + | * [[fake-police-notice-pdf-scam-india|Fake police notice PDF scam]] | ||
| + | * [[block-lost-stolen-sim-card-india|Block lost / stolen SIM]] | ||
| + | * [[social-media-hacked-recovery|Social media hijack recovery]] | ||
| + | * [[scammed-on-upi-recovery-steps|UPI fraud recovery]] | ||
| + | * [[fake-aadhaar-update-website-fraud|Fake Aadhaar update fraud]] | ||
| + | * [[banking-ombudsman-complaint-guide-india|Banking Ombudsman complaint guide]] | ||
| + | * [[recover-money-wrong-bank-account-india|Money sent to wrong account]] | ||
| + | |||
| + | ===== Government & authority references ===== | ||
| + | |||
| + | * **CERT-In** — cert-in.org.in (advisories, | ||
| + | * **MHA — I4C** — cybercrime.gov.in · **1930** | ||
| + | * **DoT — Sancharsaathi → Chakshu** for WhatsApp / SMS source reporting | ||
| + | * **PIB Fact Check** — factcheck.pib.gov.in | ||
| + | * **RBI Master Direction on Limiting Liability of Customers, 2017** | ||
| + | * **Banking Ombudsman** — cms.rbi.org.in | ||
| + | * **BNS 2024** §316 (personation), | ||
| + | * **IT Act 2000** §43 (computer damage), §66 (computer offences), §66C, §66D, §66F | ||
| + | |||
| + | ===== FAQ ===== | ||
| + | |||
| + | ==== How does an APK send my SMS to attackers? ==== | ||
| + | |||
| + | With SMS-read permission + Accessibility, | ||
| + | |||
| + | ==== Will a Play Protect scan catch it? ==== | ||
| + | |||
| + | Sometimes yes (the well-known families) and sometimes no (custom trojans). Don't rely on Play Protect; rely on **never installing an APK from chat**. | ||
| + | |||
| + | ==== My phone is fine — should I still factory-reset? | ||
| + | |||
| + | If you only opened the file but didn't install, no. If you installed and granted permissions, | ||
| + | |||
| + | ==== Can the trojan affect my computer? ==== | ||
| + | |||
| + | Not directly, but credentials it captured (email, banking) work on any device. | ||
| + | |||
| + | ==== How fast does the bank refund? ==== | ||
| + | |||
| + | Shadow / temporary credit within 10 working days; full resolution within 90 days. RB-IOS escalates if delayed. | ||
| + | |||
| + | ===== Myth vs reality ===== | ||
| + | |||
| + | ^ Myth ^ Reality ^ | ||
| + | | "APK from a friend is safe." | The friend' | ||
| + | | " | ||
| + | | "If I uninstall, I'm clean." | ||
| + | | "Banks won't refund a self-installed APK loss." | RBI 2017 frames this as deceit-based unauthorised transaction; | ||
| + | | " | ||
| + | |||
| + | ===== Last word ===== | ||
| + | |||
| + | The APK scam trades on one habit: tapping a file because someone you trust sent it. The fix is simple — install apps **only** from the Play Store / App Store / your bank's verified domain, **never** from chat. If you've already installed, the cleanup drill on this page closes the window before the trojan finishes its second job (hijacking your social accounts to spread itself). Share this page with anyone over 50 — they are the most-targeted demographic. | ||
| + | |||
| + | This page is part of RTI Wiki's **Citizen Crisis Response Network**. Updates tracked through CERT-In bulletins, MHA / I4C advisories, and RBI press releases. | ||
| + | ===== Fake APK installation scam in India: How to identify, prevent, and report (2026) ===== | ||
| + | |||
| + | Fake APK installation scam in India — complete guide on identification, | ||
| + | |||
| + | - **Step 1: What is a fake APK scam and how does it work?** (a) A fake APK — is a malicious — Android — application — package — that is disguised — as a legitimate — app — and is installed — on the victim' | ||
| + | - **Step 2: Scam comparison table — common fake APK scams.** (a) Bank KYC scam: (i) the pretext: KYC — update — or account — verification, | ||
| + | - **Step 3: How to identify a fake APK.** (a) the source: (i) the APK — is not — from the Google — Play Store, (ii) the APK — is sent — via WhatsApp — or SMS — or email, (b) the permissions: | ||
| + | - **Step 4: How to prevent fake APK scams.** (a) never — install — an APK — from an unknown — source, (b) never — share — the OTP — or the UPI — PIN — with anyone, (c) never — grant — the accessibility — service — to an unknown — app, (d) enable — the Google — Play Protect — on the phone, (e) install — the banking — apps — only — from the Google — Play Store, (f) check — the app — permissions — regularly, (g) use — the DND — service — to block — the spam — calls — and SMS. | ||
| + | - **Step 5: How to report a fake APK scam.** (a) the Cyber Crime: (i) file — the complaint — at cybercrime.gov.in — or call — 1930, (ii) the complaint — should include: (a) the phone — number — of the scammer, (b) the APK — file, (c) the transaction — details, (d) the screenshots — of the chat, (b) the police: (i) file — the FIR — at the police station — under Section 419 — and 420 — IPC — and Section 66C — and 66D — IT Act, (c) the bank: (i) inform — the bank — immediately — to freeze — the account, (ii) request — the transaction — reversal — if the money — is debited, (d) the RBI Ombudsman: (i) file — the complaint — at cms.rbi.org.in — if the bank — does not act. | ||
| + | - **Step 6: How to file RTI for fake APK scams.** (a) the Cyber Crime — Cell — and the Ministry of Home Affairs — are public authorities — under the RTI Act, (b) the RTI application — can ask: (i) " | ||
| + | - **Step 7: Practical tips.** (a) never — install — an APK — from WhatsApp — or SMS, (b) check — the permissions — before — installing — any app, (c) report — the scam — at cybercrime.gov.in — within — the first — 30 minutes — for the best — chance — of recovery, (d) inform — the bank — immediately — to freeze — the account, (e) file RTI — with the Cyber Crime — Cell — for the action — status — on the complaint, (f) Example: A victim — received — a call — from a "bank — official" | ||
| + | |||
| + | See [[https:// | ||
| + | |||
| + | {{tag> | ||