📱Test our Android app — free beta!Join Beta GroupYou'll receive the install link by email after joining.

Differences

This shows you the differences between two versions of the page.


fake-apk-installation-scam-india [2026/07/10 23:32] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Fake APK App Installation Scam India — Detection, Cleanup, Recovery (2026) ======
  
 +{{htmlmetatags>metatag-description=(Installed a "wedding card / e-bill / KYC" APK on WhatsApp? Detect the trojan in 60 seconds, factory-reset safely, recover money under RBI 2017 rules — 2026 playbook.)}}
 +{{htmlmetatags>metatag-keywords=(fake APK scam India, wedding card APK virus, WhatsApp APK trojan, banking trojan APK, factory reset Android scam recovery)}}
 +
 +"Wedding card_invitation.apk", "Electricity_bill.apk", "KYC_update.apk", "Income_tax_notice.apk" — these are the highest-volume Android trojans circulating on WhatsApp in 2026. They spawn an invisible window that intercepts every OTP, takes over WhatsApp, and drains UPI in minutes. This page tells you how to detect installation, clean the device safely, and recover under RBI rules.
 +
 +> **Citizen Crisis Response Network — APK rule**\\ **Never** install a ``.apk`` file received over WhatsApp, Telegram, email, or SMS — even if it appears to come from a relative. All legitimate Indian apps live on the Play Store / App Store / banks' verified domains.
 +
 +===== Direct answer (featured snippet) =====
 +
 +If you installed a ``.apk`` file received over WhatsApp / email / Telegram / SMS in India: (1) immediately switch the phone to **airplane mode**, (2) revoke **Accessibility Service** permission for any unknown app via Settings → Accessibility, (3) **uninstall** the suspicious app + **factory-reset** the phone after backing up only photos and contacts, (4) call **1930** and file at [[https://cybercrime.gov.in|cybercrime.gov.in]] if any banking activity is suspected, (5) change net-banking + email + WhatsApp passwords from a different device, and (6) email your bank within 24 hours under RBI's 2017 framework. Recovery probability is highest within the first 90 minutes.
 +
 +===== In this guide =====
 +
 +  * [[#How the fake APK scam runs|How the fake APK scam runs]]
 +  * [[#Detect a trojan in 60 seconds|Detect a trojan in 60 seconds]]
 +  * [[#The 30-minute cleanup drill|The 30-minute cleanup drill]]
 +  * [[#Factory-reset done right|Factory-reset done right]]
 +  * [[#If money was already taken|If money was already taken]]
 +  * [[#Sample report to bank|Sample report to bank]]
 +  * [[#What not to do|What not to do]]
 +  * [[#Can compensation be claimed?|Can compensation be claimed?]]
 +  * [[#FAQ|FAQ]]
 +
 +===== How the fake APK scam runs =====
 +
 +  - **Bait** — A WhatsApp / Telegram message from a "relative" or "official source" with a file: ``Wedding_invitation_<name>.apk``, ``Electricity_bill_august.apk``, ``IRCTC_refund.apk``, ``Income_tax_notice.apk``, ``EPF_balance.apk``.
 +  - **Install** — The file installs from "Unknown sources" and asks for **Accessibility Service** + **SMS read** + **notifications** + **install other apps** permissions.
 +  - **Hide** — The icon is sometimes invisible (no launcher entry); the trojan listens silently.
 +  - **Capture** — Every banking SMS, every OTP, every WhatsApp 6-digit code is forwarded to the attacker.
 +  - **Drain** — UPI added to a new device; WhatsApp account hijacked; net-banking accessed; pre-approved loans drawn instantly.
 +
 +The defining permission ask: **Accessibility Service**. No legitimate non-screen-reader app needs it.
 +
 +===== Detect a trojan in 60 seconds =====
 +
 +  - Settings → **Accessibility** → check the list of apps with Accessibility Service enabled. Any app you don't recognise = revoke immediately.
 +  - Settings → **Apps** → list all installed apps; sort by date. Anything installed in the last 7-14 days that you don't recognise = uninstall.
 +  - Settings → **Notifications** → notification access; revoke any app you don't recognise.
 +  - Settings → **Special access** → **Install unknown apps** → revoke for **every** app except your trusted browser.
 +  - Settings → **SMS & RCS** → default SMS app; ensure it's the system default, not a sideloaded app.
 +
 +If even one suspicious entry appears, treat the device as compromised and run the cleanup drill below.
 +
 +===== The 30-minute cleanup drill =====
 +
 +  - **Airplane mode** — cuts the trojan's outbound traffic immediately
 +  - From **another device**:
 +    * Change net-banking password (your bank's website)
 +    * Change email password + revoke active sessions
 +    * Change WhatsApp 2-step verification PIN; sign out of WhatsApp Web sessions
 +    * De-register UPI on every UPI app (PhonePe / GPay / Paytm / BHIM)
 +    * Block debit card via the bank app
 +  - **Original device, still in airplane mode**:
 +    * Settings → Accessibility → disable / revoke all unknown apps
 +    * Settings → Apps → uninstall the suspicious APK
 +    * If you can't uninstall (some trojans use Device Admin), Settings → Security → Device Admin Apps → revoke first, then uninstall
 +  - **Factory reset** — only after backups of photos / contacts to a clean storage (not Google account from this device)
 +  - **Reach 1930** — within 90 minutes if any banking activity is suspected
 +  - **File at cybercrime.gov.in** with the APK file (zip it; many anti-virus engines will fingerprint it)
 +  - **Alert WhatsApp contacts** — the trojan often forwards itself to your contacts; tell them to delete
 +
 +===== Factory-reset done right =====
 +
 +  - **Backup safely**:
 +    * Photos / videos → upload to a separate cloud account (NOT the Google account currently on the device)
 +    * Contacts → export to .vcf and store in a clean location
 +    * Do **not** back up apps + data via Google Backup — the trojan persists in the backup
 +  - **Sign out** of all accounts (Google, Samsung / Xiaomi / OnePlus, banking apps)
 +  - Settings → System → Reset → **Erase all data (factory reset)** with the encryption option
 +  - **Restart**; do NOT restore from the prior backup
 +  - **Set up fresh** — install only Play Store / App Store apps; bank apps from official domains
 +  - **Re-enable WhatsApp** with the duplicate SIM (or current SIM if not swapped); set 2-step PIN
 +  - **Pull your CIBIL** — confirm no fraudulent loans
 +
 +===== If money was already taken =====
 +
 +If banking activity has occurred between installation and detection:
 +  * **0–3 working days reporting** → zero customer liability under RBI Master Direction 2017
 +  * **4–7 working days** → capped customer liability (₹5,000 – ₹25,000)
 +  * **Beyond 7 days** → bank's board policy
 +
 +Steps:
 +  - Call **1930** (golden hour matters)
 +  - File at cybercrime.gov.in
 +  - Email bank's "report unauthorised transaction" with: time of APK install, time of transactions, 1930 reference, factory-reset confirmation
 +  - Demand temporary credit within 10 working days; resolution within 90 days
 +  - **Banking Ombudsman** at cms.rbi.org.in if bank stalls
 +
 +===== Sample report to bank =====
 +
 +<code>
 +To,
 +The Branch Manager,
 +[Bank Name], [Branch], [City]
 +
 +Subject: Unauthorised debit / banking trojan via .apk install — A/C
 +[last 4 digits] — request for refund under RBI Master Direction 2017
 +
 +Sir / Madam,
 +
 +I, [Full name], holder of Savings A/C [number], wish to report
 +unauthorised debit(s) totalling ₹[amount] on [date] at approximately
 +[time], arising from a malicious Android Application Package (.apk)
 +that I installed in good faith on [date] at [time].
 +
 +Transactions affected:
 +
 +[Date] [Time] [UTR / Ref] [Amount] [Beneficiary]
 +...
 +
 +Actions already taken:
 +  1. Airplane mode + accessibility revocation + factory reset
 +  2. Net-banking + email + WhatsApp passwords reset
 +  3. Debit card blocked
 +  4. 1930 complaint (Reference: ___)
 +  5. cybercrime.gov.in submission (Reference: ___)
 +  6. CIBIL report pulled (Reference: ___)
 +
 +I report within ___ working day(s) of the unauthorised debit. Per RBI's
 +Master Direction on Limiting Liability of Customers, 2017, my liability
 +is [Zero / capped at ₹5,000]. I request you to:
 +  a) Credit a temporary / shadow amount within 10 working days.
 +  b) Resolve the dispute within 90 days.
 +  c) Reply in writing.
 +
 +Yours faithfully,
 +[Signature, Name, Date, Phone, Email]
 +</code>
 +
 +===== What not to do =====
 +
 +  * Do **not** install an APK received over any messaging platform — even from a known relative whose phone may itself be compromised.
 +  * Do **not** grant Accessibility Service to any app that isn't a screen-reader, automation tool you trust, or a password manager you've vetted.
 +  * Do **not** restore from a backup taken **after** the suspicious install — the trojan persists.
 +  * Do **not** rely on antivirus alone to clean a banking trojan; factory reset is the only sure cleanup.
 +  * Do **not** delay reporting out of embarrassment — the RBI 3-day window is strict.
 +
 +===== Can compensation be claimed? =====
 +
 +  * **Bank refund** — RBI Master Direction 2017 (zero liability if reported within 3 working days)
 +  * **Banking Ombudsman** — RB-IOS 2021 if bank stalls; cms.rbi.org.in
 +  * **Consumer court** — for negligence (e.g., bank ignored fraud-monitoring alerts)
 +  * **TRAI / Sancharsaathi** action against the WhatsApp number / DLT (where applicable)
 +  * **CERT-In incident report** — for serious cases; helps community-wide blacklisting
 +
 +===== What to do in the next 30 minutes (printable card) =====
 +
 +  - **0–2 min** — Airplane mode
 +  - **2–10 min** — From another device: net-banking pwd + email + WhatsApp PIN reset; debit card block
 +  - **10–20 min** — Revoke Accessibility / Notification access; uninstall suspect app
 +  - **20–30 min** — Factory reset after photos / contacts backup
 +  - **+90 min** — 1930 call; cybercrime.gov.in file
 +  - **+24 h** — Bank "report unauthorised transaction" email
 +  - **+72 h** — RBI 3-day window
 +
 +===== Long-tail keywords this page targets =====
 +
 +fake APK scam India 2026, wedding card APK virus, banking trojan India recovery, WhatsApp APK fraud, accessibility service trojan, factory reset banking trojan, IRCTC APK scam, EPF APK trojan, Income Tax APK fake, KYC APK fraud
 +
 +===== People also ask =====
 +
 +  * **Q:** Can iPhone get the same APK trojan?\\ APK is Android-only. iOS has its own scams (configuration profiles, fake App Store links) but not APK trojans.
 +  * **Q:** Is uninstalling enough or do I need factory reset?\\ Factory reset is the only sure cleanup. Some trojans persist in system folders or Device Admin.
 +  * **Q:** What is "Accessibility Service" abuse?\\ Accessibility was designed for screen-readers; trojans abuse it to read every screen, type taps, and intercept inputs. Almost every banking trojan asks for it.
 +  * **Q:** Can the trojan steal my photos / contacts?\\ Yes — and forward itself to your WhatsApp contacts. Treat the data as exposed.
 +  * **Q:** Will the bank believe me without proof of trojan?\\ Yes — RBI 2017 framework doesn't require **forensic proof**, only timely reporting + reasonable explanation.
 +
 +===== Voice-search queries =====
 +
 +"Wedding card APK scam." · "How to remove banking trojan Android?" · "Factory reset after fake KYC APK." · "WhatsApp APK virus." · "IRCTC APK fake."
 +
 +===== SVG / infographic prompts =====
 +
 +<code>
 +[Anatomy] "Banking-trojan APK chain"
 +1. WhatsApp file (wedding/bill APK)
 +2. Install + accessibility service
 +3. SMS + OTP + notification capture
 +4. UPI added to attacker device
 +5. Drain → mule accounts → crypto
 +
 +[Cleanup ladder]
 +airplane mode → revoke accessibility → uninstall → factory reset → fresh setup
 +                                            └─ from another device: pwd resets
 +
 +[Comparison table] "Symptoms of trojan"
 +- random low battery + heat (background)
 +- contacts get suspicious WhatsApp from your number
 +- OTP SMS arrives but you didn't request
 +- bank app shows unfamiliar device
 +</code>
 +
 +
 +===== If the formal channel fails, escalate via RTI =====
 +
 +<WRAP center round info 100%>
 +If this complaint isn't resolved through the regular complaint route, you can file an **RTI** to force the public authority to either act or explain in writing why they haven't. The fee is ₹10 (free if you're BPL).
 +
 +  * Draft your application: [[https://righttoinformation.wiki/tools/ai-rti-draft-app.html|AI RTI Drafter]]
 +  * Calculate timelines: [[https://righttoinformation.wiki/tools/timeline-calculator-app.html|Timeline Calculator]]
 +  * If PIO doesn't reply in 30 days: [[https://righttoinformation.wiki/appeal-templates/deemed-refusal-first-appeal|Deemed refusal first appeal]]
 +  * If PIO rejects without reason: [[https://righttoinformation.wiki/appeal-templates/wrongful-section-8-rejection|S.8 rejection appeal]]
 +  * Sample applications: [[https://righttoinformation.wiki/guide/applicant/application/sample/start|Sample RTI library]]
 +</WRAP>
 +
 +===== Internal cross-links =====
 +
 +  * [[fake-kyc-update-scam-india|Fake KYC update scam]]
 +  * [[fake-police-notice-pdf-scam-india|Fake police notice PDF scam]]
 +  * [[block-lost-stolen-sim-card-india|Block lost / stolen SIM]]
 +  * [[social-media-hacked-recovery|Social media hijack recovery]]
 +  * [[scammed-on-upi-recovery-steps|UPI fraud recovery]]
 +  * [[fake-aadhaar-update-website-fraud|Fake Aadhaar update fraud]]
 +  * [[banking-ombudsman-complaint-guide-india|Banking Ombudsman complaint guide]]
 +  * [[recover-money-wrong-bank-account-india|Money sent to wrong account]]
 +
 +===== Government & authority references =====
 +
 +  * **CERT-In** — cert-in.org.in (advisories, incident reporting)
 +  * **MHA — I4C** — cybercrime.gov.in · **1930**
 +  * **DoT — Sancharsaathi → Chakshu** for WhatsApp / SMS source reporting
 +  * **PIB Fact Check** — factcheck.pib.gov.in
 +  * **RBI Master Direction on Limiting Liability of Customers, 2017**
 +  * **Banking Ombudsman** — cms.rbi.org.in
 +  * **BNS 2024** §316 (personation), §319 (cheating), §336–§338 (forgery)
 +  * **IT Act 2000** §43 (computer damage), §66 (computer offences), §66C, §66D, §66F
 +
 +===== FAQ =====
 +
 +==== How does an APK send my SMS to attackers? ====
 +
 +With SMS-read permission + Accessibility, the trojan reads every incoming SMS and forwards via HTTPS to its command server.
 +
 +==== Will a Play Protect scan catch it? ====
 +
 +Sometimes yes (the well-known families) and sometimes no (custom trojans). Don't rely on Play Protect; rely on **never installing an APK from chat**.
 +
 +==== My phone is fine — should I still factory-reset? ====
 +
 +If you only opened the file but didn't install, no. If you installed and granted permissions, yes — it's the only certain cleanup.
 +
 +==== Can the trojan affect my computer? ====
 +
 +Not directly, but credentials it captured (email, banking) work on any device.
 +
 +==== How fast does the bank refund? ====
 +
 +Shadow / temporary credit within 10 working days; full resolution within 90 days. RB-IOS escalates if delayed.
 +
 +===== Myth vs reality =====
 +
 +^ Myth ^ Reality ^
 +| "APK from a friend is safe." | The friend's phone may itself be compromised; the file is the threat, not the sender. |
 +| "Antivirus will catch it." | Custom trojans evade most AV. Factory reset is the safe fix. |
 +| "If I uninstall, I'm clean." | Trojans abuse Device Admin and persist. |
 +| "Banks won't refund a self-installed APK loss." | RBI 2017 frames this as deceit-based unauthorised transaction; refund is the rule. |
 +| "I'll lose all my data on factory reset." | Photos / contacts / Drive sync are recoverable. Apps re-install from store. |
 +
 +===== Last word =====
 +
 +The APK scam trades on one habit: tapping a file because someone you trust sent it. The fix is simple — install apps **only** from the Play Store / App Store / your bank's verified domain, **never** from chat. If you've already installed, the cleanup drill on this page closes the window before the trojan finishes its second job (hijacking your social accounts to spread itself). Share this page with anyone over 50 — they are the most-targeted demographic.
 +
 +This page is part of RTI Wiki's **Citizen Crisis Response Network**. Updates tracked through CERT-In bulletins, MHA / I4C advisories, and RBI press releases.
 +===== Fake APK installation scam in India: How to identify, prevent, and report (2026) =====
 +
 +Fake APK installation scam in India — complete guide on identification, prevention, and reporting:
 +
 +  - **Step 1: What is a fake APK scam and how does it work?** (a) A fake APK — is a malicious — Android — application — package — that is disguised — as a legitimate — app — and is installed — on the victim's — phone — to steal — the money — or the data, (b) the common — methods: (i) the scammer — calls — the victim — posing — as a bank — official — or a police — officer — and asks — the victim — to install — an APK — for "security — verification" — or "KYC — update", (ii) the scammer — sends — the APK — link — via WhatsApp — or SMS, (iii) the victim — installs — the APK — which grants — the scammer — the remote — access — to the phone, (iv) the scammer — accesses — the banking — apps — and the UPI — and transfers — the money, (c) the impact: (i) the average — loss — is Rs 50,000 — to Rs 5,00,000, (ii) the scam — is increasing — with over — 100,000 — cases — reported — in 2025.
 +  - **Step 2: Scam comparison table — common fake APK scams.** (a) Bank KYC scam: (i) the pretext: KYC — update — or account — verification, (ii) the APK: bank — security — app, (iii) the access: SMS — calls — contacts — banking, (iv) the loss: bank — balance, (b) Police/ED scam: (i) the pretext: legal — action — or investigation, (ii) the APK: evidence — collection — app, (iii) the access: full — phone — access, (iv) the loss: bank — balance — and UPI, (c) Package delivery scam: (i) the pretext: delivery — confirmation, (ii) the APK: delivery — tracking — app, (iii) the access: SMS — OTP — banking, (iv) the loss: UPI — and bank, (d) Investment scam: (i) the pretext: high — returns — investment, (ii) the APK: trading — app, (iii) the access: banking — and personal — data, (iv) the loss: investment — amount, (e) Lottery scam: (i) the pretext: lottery — or prize — winning, (ii) the APK: lottery — claim — app, (iii) the access: banking — and SMS, (iv) the loss: processing — fee — and bank — balance.
 +  - **Step 3: How to identify a fake APK.** (a) the source: (i) the APK — is not — from the Google — Play Store, (ii) the APK — is sent — via WhatsApp — or SMS — or email, (b) the permissions: (i) the APK — asks — for the accessibility — service — or the SMS — read — permission — or the screen — capture — permission, (ii) the legitimate — apps — do not — ask — for these — permissions, (c) the app — name: (i) the APK — has — a generic — or suspicious — name — (e.g. — "SecurityUpdate.apk" — "KYC_Verify.apk"), (d) the behaviour: (i) the APK — disappears — from the app — drawer — after installation, (ii) the APK — runs — in the background — and drains — the battery.
 +  - **Step 4: How to prevent fake APK scams.** (a) never — install — an APK — from an unknown — source, (b) never — share — the OTP — or the UPI — PIN — with anyone, (c) never — grant — the accessibility — service — to an unknown — app, (d) enable — the Google — Play Protect — on the phone, (e) install — the banking — apps — only — from the Google — Play Store, (f) check — the app — permissions — regularly, (g) use — the DND — service — to block — the spam — calls — and SMS.
 +  - **Step 5: How to report a fake APK scam.** (a) the Cyber Crime: (i) file — the complaint — at cybercrime.gov.in — or call — 1930, (ii) the complaint — should include: (a) the phone — number — of the scammer, (b) the APK — file, (c) the transaction — details, (d) the screenshots — of the chat, (b) the police: (i) file — the FIR — at the police station — under Section 419 — and 420 — IPC — and Section 66C — and 66D — IT Act, (c) the bank: (i) inform — the bank — immediately — to freeze — the account, (ii) request — the transaction — reversal — if the money — is debited, (d) the RBI Ombudsman: (i) file — the complaint — at cms.rbi.org.in — if the bank — does not act.
 +  - **Step 6: How to file RTI for fake APK scams.** (a) the Cyber Crime — Cell — and the Ministry of Home Affairs — are public authorities — under the RTI Act, (b) the RTI application — can ask: (i) "Provide the statistics — of the fake — APK — scams — for [state] — for the period [date] to [date] — including: (a) the cases — registered, (b) the cases — solved, (c) the money — recovered, (d) the arrests — made", (ii) "Provide the action — taken — on the complaint — [number] — filed on [date] — including: (a) the complaint — status, (b) the investigation — status, (c) the frozen — accounts, (d) the recovered — amount", (c) the application fee — is Rs 10.
 +  - **Step 7: Practical tips.** (a) never — install — an APK — from WhatsApp — or SMS, (b) check — the permissions — before — installing — any app, (c) report — the scam — at cybercrime.gov.in — within — the first — 30 minutes — for the best — chance — of recovery, (d) inform — the bank — immediately — to freeze — the account, (e) file RTI — with the Cyber Crime — Cell — for the action — status — on the complaint, (f) Example: A victim — received — a call — from a "bank — official" — and installed — an APK — and Rs 2,00,000 — was debited — and the victim — reported — at 1930 — within 30 minutes — and the money — was frozen — and reversed — and the victim — filed — the FIR — and the scammer — was arrested.
 +
 +See [[https://righttoinformation.wiki/fake-apk-installation-scam-india|Fake APK Scam]] and [[https://righttoinformation.wiki/dating-app-blackmail-scam-30-min-india|Dating App Blackmail Scam]].
 +
 +{{tag>fake apk scam 2026 cybercrime 1930 india banking fraud rti apk installation 2026}}