How to Report Fake Mobile Apps in India (Play Store, MeitY, CERT-In, 2026)

Fake clones of SBI YONO, IRCTC Rail Connect, Income Tax Faceless, EPFO Passbook, BHIM, mAadhaar — uploaded to the Play Store under near-identical names — are how millions of Indians lose money in 2026. This page is the operational reporting playbook: how to detect a fake app in 30 seconds, how to report to Google + MeitY + CERT-In so it's taken down in 48 hours, and how to recover if you've already installed one.

Citizen Crisis Response Network — install rule
Always download from the bank / agency's verified app-store link on its official website (e.g., sbi.co.in → “Download YONO” → Play Store link), never from a search result.

To report a fake mobile app in India: (1) inside Play Store, tap the app → ⋮ → Report, (2) report at cert-in.org.in → Incident Report, (3) email MeitY's Incident Response at [email protected], (4) report to the impersonated brand (bank / RBI / IRCTC / Income Tax helpdesk), (5) file at cybercrime.gov.in / 1930 if money has moved, and (6) post a public PIB Fact Check forward (WhatsApp +91-8799711259). Verified takedowns from Google + CERT-In typically complete within 24-72 hours.

• How fake apps reach Play Store
• Spot a fake app in 30 seconds
• Report to Google Play
• Report to CERT-In + MeitY
• Report to the impersonated brand
• The 30-minute drill if you installed
• What not to do
• Sample report email
• Can compensation be claimed?
• FAQ

Three routes:

1. Lookalike upload — A new developer account uploads “SBI YONO Bank Online” / “ITR Tax Filing 2026” / “IRCTC Faster Booking” with cloned UI and a slightly different developer name. Google's automated review misses it for 24-72 hours.
2. Repackaged genuine app — The developer downloads the real APK, repackages it with a trojan, and uploads under a similar name.
3. Sideloaded only — Some attackers don't bother with Play Store; the link is shared on WhatsApp / SMS. See fake APK installation scam.

The two ways to defeat all three: (a) install only via the bank's website link to the store, and (b) verify the developer name on the store listing.

If even one check fails, do not install. Verify by visiting the bank's website and clicking their “Download” link — that link goes to the genuine Play Store listing.

1. Open the suspect app's listing in Play Store (Android device or play.google.com on web)
2. Tap ⋮ More options → Flag as inappropriate
3. Choose category: “Copycat or impersonation” or “Sexual content / harmful behaviour / malware” → as applicable
4. Add a short description with reasons + screenshots
5. For deeper reports: support.google.com → developer takedown (DMCA / impersonation)
6. Trademark holders (i.e., the real bank) get faster takedown via Google's brand-protection form

Google generally responds within 24-48 hours for clear impersonation.

1. CERT-In Incident Reporting: cert-in.org.in → “Incident Reporting Form”
2. Email: [email protected] (PGP key on site)
3. Phone: +91-1800-11-4949 (toll-free)
4. Include: Play Store URL, developer name, date of detection, screenshots, hashes of APK if you can extract
5. Cite CERT-In Cyber Security Directions, 2022 which obligates Indian platforms to retain logs for 180 days
6. MeitY Cyber Coordination Centre (I4C): cybercrime.gov.in → cyber-crime → impersonation
7. For sustained / large-scale impersonation, a Section 69A (IT Act) blocking order can be requested by the brand — flag this to the affected bank / agency

CERT-In confirms incident receipt + ticket number; coordinates takedown with platform.

Most banks / agencies have dedicated “report-fraud” channels:

• SBI — [email protected]
• HDFC Bank — [email protected]
• ICICI Bank — [email protected]
• Axis Bank — [email protected]
• PNB — [email protected]
• RBI — sachet.rbi.org.in (collective reporting)
• IRCTC — [email protected]
• Income Tax — [email protected]
• EPFO — [email protected]
• UIDAI — [email protected]

Forward the Play Store URL + screenshots. The brand's legal team can file the trademark-protection takedown directly with Google + CERT-In.

If you have installed a suspect app and entered banking credentials:

1. Airplane mode the device immediately
2. From another device:
   • Change net-banking password
   • Block debit card
   • De-register UPI on every UPI app
   • Change email password + revoke sessions
3. Uninstall the suspect app; revoke Accessibility / Notification access
4. Factory reset as in fake APK scam playbook
5. 1930 + cybercrime.gov.in if money has moved
6. Bank email invoking RBI Master Direction 2017 within 24 hours
7. CERT-In report ([email protected]) with details

• Do not install from Play Store search results without checking the developer name.
• Do not install banking / government APKs from anywhere except the verified Play Store / App Store link on the brand's official site.
• Do not grant Accessibility / SMS / install-other-apps permission to any non-essential app.
• Do not rate / review a fake app even to “warn others” — it boosts engagement signals.
• Do not delay reporting — every additional day means more victims.

To: [email protected]
Cc: [bank's anti-phishing email] + cybercrime.gov.in submission ref

Subject: Impersonation app on Google Play targeting [Bank / Agency]
customers — request for takedown coordination

Sir / Madam,

I report the following impersonation app currently live on Google Play
Store, targeting customers of [Brand / Bank Name]:

  Play Store URL : ___
  App name       : ___
  Developer name : ___
  Install count  : ___
  Detection date : ___
  Permissions of concern : Accessibility, SMS read, ...

Attached:
  1. Screenshots of the listing
  2. Permissions screenshot
  3. APK hash (if extractable): ___
  4. Comparison with the genuine app

Cited authority:
  - CERT-In Cyber Security Directions, 2022
  - IT Act 2000 §66C, §66D, §69A (blocking)
  - BNS 2024 §316 (personation), §319 (cheating)
  - Trade Marks Act 1999 (where the brand is registered)

I request CERT-In to:
  a) Coordinate takedown with Google Play and the affected brand.
  b) Issue a public advisory if multiple impersonation listings exist.
  c) Confirm the takedown date in writing.

Yours faithfully,
[Signature, Name, Date, Phone, Email]

• Bank refund — RBI Master Direction 2017 (zero liability if reported within 3 working days)
• Banking Ombudsman — RB-IOS 2021 if bank stalls
• Consumer court — for app-platform negligence (Google / Apple) — emerging jurisprudence
• CERT-In compliance penalties on platforms that don't take down; complaint via MeitY
• Civil suit against fake-app developer if traceable

1. 0–5 min — If installed: airplane mode + change passwords from another device
2. 5–15 min — Report on Play Store (⋮ → Flag); report to bank's anti-phishing email
3. 15–25 min — File at CERT-In + cybercrime.gov.in
4. 25–30 min — Forward to PIB Fact Check + amplify on social media (with screenshots, no PII)
5. +24 h — Bank's “report unauthorised transaction” form
6. +72 h — Confirm takedown via Play Store / CERT-In ticket

report fake app India 2026, fake SBI YONO Play Store, fake IRCTC app takedown, fake Income Tax app report, CERT-In incident reporting, MeitY app takedown, fake EPFO Play Store, lookalike app Play Store, fake banking app trojan, fake mAadhaar app

• Q: How long does Google take to remove a fake app?
  Typically 24-72 hours after a clear impersonation report. Faster if the trademark holder reports.
• Q: What if the same fake app is on the Apple App Store?
  Apple has a similar “Report a Problem” flow per listing; brand-protection takedown is faster on iOS.
• Q: Who can use Section 69A blocking?
  The Government of India / authorised officers, on application by an affected stakeholder. Banks and agencies typically file via MeitY.
• Q: Will I get my money back if a fake app drained my account?
  Yes, under RBI 2017 framework, with timely reporting. The fake-app circumstance counts as deceit.
• Q: Can I sue the developer?
  Yes, in theory — but most fake-app developers are offshore and untraceable. The remedy is takedown + bank refund.

“How to report a fake app on Play Store?” · “CERT-In incident report India.” · “Fake SBI app on Play Store.” · “MeitY app takedown India.” · “Play Store impersonation report.”

[Decision tree] "Is this app fake?"
Developer name matches bank / agency exactly? → likely real
Install count > 10 lakh + years of updates? → likely real
Anything else? → suspect → don't install → report

[Reporting ladder]
Play Store flag → bank's anti-phishing email → CERT-In incident
                  → MeitY / I4C → 1930 (if money moved)

[Comparison table] "Real app vs fake app"
Developer       : exact official name | slight variation
Permissions     : minimum bank-specific | accessibility / SMS
Reviews         : organic, mixed     | five-star burst
Update history  : years long          | one to two recent

• Fake APK installation scam
• Fake KYC update scam
• Fake Aadhaar update fraud
• UPI fraud recovery
• Block lost / stolen SIM
• Banking Ombudsman complaint guide

• CERT-In — cert-in.org.in · [email protected] · +91-1800-11-4949
• MHA — I4C — cybercrime.gov.in · 1930
• MeitY — Cyber Coordination Centre (I4C)
• PIB Fact Check — factcheck.pib.gov.in · WhatsApp +91-8799711259
• RBI Sachet — sachet.rbi.org.in (suspicious entity reporting)
• IT Act 2000 §66C, §66D, §69A (blocking), §70B (CERT-In powers)
• BNS 2024 §316 (personation), §319 (cheating), §336–§338 (forgery)
• Trade Marks Act 1999 — for branded-app impersonation
• CERT-In Cyber Security Directions, 2022

Visit the bank / agency's website; their “Download our app” page links to the genuine Play Store listing. The developer name there is authoritative.

No — engagement signals (any rating) help the listing rank. Just report and silently move on.

Yes — list each with its Play Store URL and developer. CERT-In assigns one ticket but coordinates takedown of all listings.

Report directly to the store's abuse channel; also email CERT-In. These stores' takedowns are slower but possible.

Recommended if money has moved. The FIR strengthens the bank's refund case and the takedown record.

Fake mobile apps are the cheapest, fastest impersonation channel in India. The defence is two-step: install only from your bank or agency's website link, and report any lookalike you spot to Play Store + CERT-In + the brand. Each report shortens the listing's life by hundreds of hours of victim exposure. Five minutes of reporting is the most public-spirited thing you can do this week.

This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through CERT-In bulletins, MeitY advisories, and Google Play transparency reports.