New Delhi | January 14, 2026: Cyber fraud involving malicious APK files has emerged as a growing nationwide threat, with victims across multiple states reporting unauthorized withdrawals from their bank accounts after opening files disguised as wedding invitations, utility bills or official notifications. Cybercrime researchers say the pattern has moved beyond isolated incidents and now reflects a coordinated national scam model.
In recent cases reported from different parts of the country, victims received APK files via WhatsApp and other messaging platforms, often from the numbers of friends or acquaintances. Believing the messages to be genuine, many opened the files, unknowingly granting cybercriminals access to their mobile phones and sensitive financial data.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
How a Single Click Compromises an Entire Device
Experts say once the APK file is installed, the device is compromised in the background. Criminals gain access to OTPs, passwords and banking credentials, enabling them to transfer funds without the user’s immediate knowledge. In several cases, victims realised they had been defrauded only after their bank balances dropped sharply.
Multiple victims have recounted similar experiences: a wedding card or urgent notification arriving from a known contact, followed by sudden phone malfunction, unresponsive screens and unauthorised transactions. Subsequent checks revealed that the sender’s messaging account had already been hacked, and the malicious file was being forwarded automatically to contacts.
Trust Weaponised Through Chain-Based Propagation
Cyber analysts describe the scam as a textbook case of social engineering, where trust is weaponised. Criminals first compromise one device or account and then exploit the victim’s contact list to spread malware at scale. This chain-based propagation has allowed APK attacks to spread rapidly across regions.
According to Future Crime Research Foundation (FCRF), India has witnessed a significant spike in APK-based cyber attacks over the past few months, with common templates and narratives appearing in cases from different states. The organisation notes that fraudsters deliberately use emotionally familiar or urgent themes—such as weddings, KYC updates, courier alerts or account warnings—to prompt quick action.
Why APK Files Pose a Unique Threat
“APK files are especially dangerous because they bypass official app store security checks and rely entirely on user consent,” FCRF said in its assessment. “Once installed, such files can enable data exfiltration, account takeover and persistent device monitoring without obvious signs.”
Former IPS officer and noted cyber crime expert Triveni Singh said APK-based scams represent one of the most deceptive forms of digital fraud currently targeting Indian users. He noted that attackers often exploit psychological pressure to override built-in security warnings.
“These files originate outside official app ecosystems, but users are persuaded to ignore security alerts due to perceived urgency or trust in the sender,” Singh said. “The scam now operates on a chain-reaction model, where one compromised device becomes a launchpad for infecting hundreds of others.”
Singh added that the rapid spread of smartphones and messaging apps, combined with low awareness of mobile malware risks, has made APK fraud particularly effective. “This is no longer a localised problem. It is a structured, scalable cybercrime operation,” he said.
FCRF National Cyber Advisory on APK Scams
In light of the growing threat, Future Crime Research Foundation has issued a national cyber advisory aimed at mobile users:
- Do not download or install any APK file received via WhatsApp, SMS, Telegram or email, even if it comes from a known contact.
- Wedding invitations, bank alerts, KYC updates, challans or electricity bills are never sent as APK files.
- Install apps only from official app stores and keep the “Unknown Sources” option disabled at all times.
- If a suspicious file is opened accidentally, disconnect from the internet immediately, change passwords and inform the bank.
- Never share OTP, PIN, CVV or login credentials; enable two-factor authentication on all financial apps.
- Keep the phone updated with the latest operating system and use trusted mobile security software.
- Report suspicious transactions or messages immediately on 1930 or via www.cybercrime.gov.in to improve chances of fund recovery.
FCRF cautioned that while smartphone adoption continues to rise rapidly in India, digital hygiene and caution remain weak links. Unless users begin treating unsolicited files and links as potential threats by default, experts warn that APK-based cyber fraud will continue to expand.
