How to Report Fake Mobile Apps in India (Play Store, MeitY, CERT-In, 2026)
Fake clones of SBI YONO, IRCTC Rail Connect, Income Tax Faceless, EPFO Passbook, BHIM, mAadhaar — uploaded to the Play Store under near-identical names — are how millions of Indians lose money in 2026. This page is the operational reporting playbook: how to detect a fake app in 30 seconds, how to report to Google + MeitY + CERT-In so it's taken down in 48 hours, and how to recover if you've already installed one.
Citizen Crisis Response Network — install rule
Always download from the bank / agency's verified app-store link on its official website (e.g., sbi.co.in → “Download YONO” → Play Store link), never from a search result.
Direct answer (featured snippet)
To report a fake mobile app in India: (1) inside Play Store, tap the app → ⋮ → Report, (2) report at cert-in.org.in → Incident Report, (3) email MeitY's Incident Response at incident@cert-in.org.in, (4) report to the impersonated brand (bank / RBI / IRCTC / Income Tax helpdesk), (5) file at cybercrime.gov.in / 1930 if money has moved, and (6) post a public PIB Fact Check forward (WhatsApp +91-8799711259). Verified takedowns from Google + CERT-In typically complete within 24-72 hours.
In this guide
How fake apps reach Play Store
Three routes:
- Lookalike upload — A new developer account uploads “SBI YONO Bank Online” / “ITR Tax Filing 2026” / “IRCTC Faster Booking” with cloned UI and a slightly different developer name. Google's automated review misses it for 24-72 hours.
- Repackaged genuine app — The developer downloads the real APK, repackages it with a trojan, and uploads under a similar name.
- Sideloaded only — Some attackers don't bother with Play Store; the link is shared on WhatsApp / SMS. See fake APK installation scam.
The two ways to defeat all three: (a) install only via the bank's website link to the store, and (b) verify the developer name on the store listing.
Spot a fake app in 30 seconds
| Check | Real app | Fake app |
| Developer name | Exact bank / agency (e.g., “State Bank of India”) | Slightly off (“State Bank India Pvt Ltd”, “SBI Limited”) |
| Install count | Crores / lakhs | Hundreds / few thousand |
| Reviews | Old, mixed, organic | Five-star burst, generic phrasing |
| Permissions | Bank-specific minimum | Accessibility, SMS, install other apps |
| Description language | Polished | Typos, broken grammar |
| Update history | Years long | One or two recent updates |
| Privacy policy URL | Official bank domain | Random ``.in`` / ``.online`` |
| Listed website | Bank's official site | Generic / dead link |
If even one check fails, do not install. Verify by visiting the bank's website and clicking their “Download” link — that link goes to the genuine Play Store listing.
Report to Google Play
- Open the suspect app's listing in Play Store (Android device or play.google.com on web)
- Tap ⋮ More options → Flag as inappropriate
- Choose category: “Copycat or impersonation” or “Sexual content / harmful behaviour / malware” → as applicable
- Add a short description with reasons + screenshots
- For deeper reports: support.google.com → developer takedown (DMCA / impersonation)
- Trademark holders (i.e., the real bank) get faster takedown via Google's brand-protection form
Google generally responds within 24-48 hours for clear impersonation.
Report to CERT-In + MeitY
- CERT-In Incident Reporting: cert-in.org.in → “Incident Reporting Form”
- Email: incident@cert-in.org.in (PGP key on site)
- Phone: +91-1800-11-4949 (toll-free)
- Include: Play Store URL, developer name, date of detection, screenshots, hashes of APK if you can extract
- Cite CERT-In Cyber Security Directions, 2022 which obligates Indian platforms to retain logs for 180 days
- MeitY Cyber Coordination Centre (I4C): cybercrime.gov.in → cyber-crime → impersonation
- For sustained / large-scale impersonation, a Section 69A (IT Act) blocking order can be requested by the brand — flag this to the affected bank / agency
CERT-In confirms incident receipt + ticket number; coordinates takedown with platform.
Report to the impersonated brand
Most banks / agencies have dedicated “report-fraud” channels:
- SBI — report.phishing@sbi.co.in
- HDFC Bank — phishing@hdfcbank.com
- ICICI Bank — anti.phishing@icicibank.com
- Axis Bank — phishing@axisbank.com
- PNB — bo.dpsdc@pnb.co.in
- RBI — sachet.rbi.org.in (collective reporting)
- IRCTC — care@irctc.co.in
- Income Tax — webmanager@incometax.gov.in
- EPFO — vio.bjp@epfindia.gov.in
- UIDAI — help@uidai.gov.in
Forward the Play Store URL + screenshots. The brand's legal team can file the trademark-protection takedown directly with Google + CERT-In.
The 30-minute drill if you installed
If you have installed a suspect app and entered banking credentials:
- Airplane mode the device immediately
- From another device:
- Change net-banking password
- Block debit card
- De-register UPI on every UPI app
- Change email password + revoke sessions
- Uninstall the suspect app; revoke Accessibility / Notification access
- Factory reset as in fake APK scam playbook
- 1930 + cybercrime.gov.in if money has moved
- Bank email invoking RBI Master Direction 2017 within 24 hours
- CERT-In report (incident@cert-in.org.in) with details
What not to do
- Do not install from Play Store search results without checking the developer name.
- Do not install banking / government APKs from anywhere except the verified Play Store / App Store link on the brand's official site.
- Do not grant Accessibility / SMS / install-other-apps permission to any non-essential app.
- Do not rate / review a fake app even to “warn others” — it boosts engagement signals.
- Do not delay reporting — every additional day means more victims.
Sample report email
To: incident@cert-in.org.in Cc: [bank's anti-phishing email] + cybercrime.gov.in submission ref Subject: Impersonation app on Google Play targeting [Bank / Agency] customers — request for takedown coordination Sir / Madam, I report the following impersonation app currently live on Google Play Store, targeting customers of [Brand / Bank Name]: Play Store URL : ___ App name : ___ Developer name : ___ Install count : ___ Detection date : ___ Permissions of concern : Accessibility, SMS read, ... Attached: 1. Screenshots of the listing 2. Permissions screenshot 3. APK hash (if extractable): ___ 4. Comparison with the genuine app Cited authority: - CERT-In Cyber Security Directions, 2022 - IT Act 2000 §66C, §66D, §69A (blocking) - BNS 2024 §316 (personation), §319 (cheating) - Trade Marks Act 1999 (where the brand is registered) I request CERT-In to: a) Coordinate takedown with Google Play and the affected brand. b) Issue a public advisory if multiple impersonation listings exist. c) Confirm the takedown date in writing. Yours faithfully, [Signature, Name, Date, Phone, Email]
Can compensation be claimed?
- Bank refund — RBI Master Direction 2017 (zero liability if reported within 3 working days)
- Banking Ombudsman — RB-IOS 2021 if bank stalls
- Consumer court — for app-platform negligence (Google / Apple) — emerging jurisprudence
- CERT-In compliance penalties on platforms that don't take down; complaint via MeitY
- Civil suit against fake-app developer if traceable
What to do in the next 30 minutes (printable card)
- 0–5 min — If installed: airplane mode + change passwords from another device
- 5–15 min — Report on Play Store (⋮ → Flag); report to bank's anti-phishing email
- 15–25 min — File at CERT-In + cybercrime.gov.in
- 25–30 min — Forward to PIB Fact Check + amplify on social media (with screenshots, no PII)
- +24 h — Bank's “report unauthorised transaction” form
- +72 h — Confirm takedown via Play Store / CERT-In ticket
Long-tail keywords this page targets
report fake app India 2026, fake SBI YONO Play Store, fake IRCTC app takedown, fake Income Tax app report, CERT-In incident reporting, MeitY app takedown, fake EPFO Play Store, lookalike app Play Store, fake banking app trojan, fake mAadhaar app
People also ask
- Q: How long does Google take to remove a fake app?
Typically 24-72 hours after a clear impersonation report. Faster if the trademark holder reports. - Q: What if the same fake app is on the Apple App Store?
Apple has a similar “Report a Problem” flow per listing; brand-protection takedown is faster on iOS. - Q: Who can use Section 69A blocking?
The Government of India / authorised officers, on application by an affected stakeholder. Banks and agencies typically file via MeitY. - Q: Will I get my money back if a fake app drained my account?
Yes, under RBI 2017 framework, with timely reporting. The fake-app circumstance counts as deceit. - Q: Can I sue the developer?
Yes, in theory — but most fake-app developers are offshore and untraceable. The remedy is takedown + bank refund.
Voice-search queries
“How to report a fake app on Play Store?” · “CERT-In incident report India.” · “Fake SBI app on Play Store.” · “MeitY app takedown India.” · “Play Store impersonation report.”
SVG / infographic prompts
[Decision tree] "Is this app fake?"
Developer name matches bank / agency exactly? → likely real
Install count > 10 lakh + years of updates? → likely real
Anything else? → suspect → don't install → report
[Reporting ladder]
Play Store flag → bank's anti-phishing email → CERT-In incident
→ MeitY / I4C → 1930 (if money moved)
[Comparison table] "Real app vs fake app"
Developer : exact official name | slight variation
Permissions : minimum bank-specific | accessibility / SMS
Reviews : organic, mixed | five-star burst
Update history : years long | one to two recent
Internal cross-links
Government & authority references
- CERT-In — cert-in.org.in · incident@cert-in.org.in · +91-1800-11-4949
- MHA — I4C — cybercrime.gov.in · 1930
- MeitY — Cyber Coordination Centre (I4C)
- PIB Fact Check — factcheck.pib.gov.in · WhatsApp +91-8799711259
- RBI Sachet — sachet.rbi.org.in (suspicious entity reporting)
- IT Act 2000 §66C, §66D, §69A (blocking), §70B (CERT-In powers)
- BNS 2024 §316 (personation), §319 (cheating), §336–§338 (forgery)
- Trade Marks Act 1999 — for branded-app impersonation
- CERT-In Cyber Security Directions, 2022
FAQ
++++ How do I find the genuine app's developer name? | Visit the bank / agency's website; their “Download our app” page links to the genuine Play Store listing. The developer name there is authoritative. ++++
++++ Should I rate the fake app 1-star to warn others? | No — engagement signals (any rating) help the listing rank. Just report and silently move on. ++++
++++ Can I report multiple fake apps in one email to CERT-In? | Yes — list each with its Play Store URL and developer. CERT-In assigns one ticket but coordinates takedown of all listings. ++++
++++ What about fake apps in third-party stores (APKPure / Aptoide)? | Report directly to the store's abuse channel; also email CERT-In. These stores' takedowns are slower but possible. ++++
++++ Do I need to file a police FIR? | Recommended if money has moved. The FIR strengthens the bank's refund case and the takedown record. ++++
Myth vs reality
| Myth | Reality |
|---|---|
| “Play Store apps are safe.” | Lookalike apps occasionally pass review; the safe path is the bank's website link. |
| “Five-star ratings = real.” | Burst five-star ratings are a fake-app signal, not authenticity. |
| “Only banking apps are cloned.” | IRCTC, Income Tax, EPFO, UIDAI, RBI, scholarship portals are all impersonated. |
| “Reporting won't matter; Google ignores it.” | Google's brand-protection takedown is among the fastest in tech — typically 24-48 h. |
| “If I don't install, I'm safe.” | True for you; but the listing is harvesting other victims — report it. |
Last word
Fake mobile apps are the cheapest, fastest impersonation channel in India. The defence is two-step: install only from your bank or agency's website link, and report any lookalike you spot to Play Store + CERT-In + the brand. Each report shortens the listing's life by hundreds of hours of victim exposure. Five minutes of reporting is the most public-spirited thing you can do this week.
This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through CERT-In bulletins, MeitY advisories, and Google Play transparency reports.