A fresh case of cyber fraud has come to light in the city, where a businessman lost ₹9.71 lakh from his bank account after installing a fake mobile application posing as an “RTO challan”. The fraudulent app, sent via WhatsApp, gave cybercriminals complete remote access to the victim’s mobile phone within minutes of installation.
Police said the incident occurred in a commercial area of Mumbai’s western suburbs. According to the complaint, three unauthorised transactions were carried out from the victim’s bank account in December 2025. Despite the substantial amount involved, no SMS or email alerts were received at the time of the withdrawals.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Malicious APK delivered via WhatsApp
Investigations revealed that the fraud began a few days earlier, when the victim received a file titled “RTO Challan.apk” on WhatsApp. The file appeared to have been sent by a familiar contact, lowering suspicion. Once installed, the file activated a spyware program on the phone.
Cyber experts explained that the APK was not sourced from any official app store but was directly shared through a messaging platform. The moment the installation was completed, the attackers gained remote control over the device.
Complete phone takeover, banking apps exploited
With full access to the phone, the accused operated the victim’s banking applications and transferred money to unidentified accounts across multiple banks. The transactions were executed in a manner that prevented immediate detection by the account holder.
Police said that in such cases, cybercriminals often disable or bypass banking alert settings after compromising a device, ensuring that victims remain unaware until significant losses have already occurred.
Spyware detected during phone scan
Suspicion arose when the victim later noticed irregularities in the bank account. A scan using a government-backed mobile security application revealed the presence of spyware on the phone. Following this discovery, a formal police complaint was filed.
An FIR has been registered against unknown persons under cybercrime-related provisions. Investigators are analysing WhatsApp chats, suspicious phone numbers and detailed bank transaction records to trace the money trail.
Fake APKs emerging as a major cybercrime tool
Cybercrime officials said that fraud involving malicious APK files has increased sharply in recent months. Such files are often disguised as traffic challans, KYC updates, delivery notifications or bill payment apps, making them appear legitimate.
Once installed, these applications can access calls, messages, OTPs and banking apps, allowing criminals to drain accounts with ease.
Warning from Future Crime Research Foundation
Independent cybercrime research body Future Crime Research Foundation has cautioned that APK-based frauds are likely to become more organised and widespread. According to the foundation’s recent studies, criminals are increasingly impersonating government departments, traffic authorities, banks and e-governance platforms to trick users into installing malicious apps.
The research highlights that such attacks rely more on social engineering than technical loopholes—victims are persuaded to install the app themselves, effectively neutralising built-in security safeguards.
Police and expert advisory
Police have urged citizens not to download or install APK files received via WhatsApp or unknown messages. Any government notice or traffic challan should be verified only through official websites or authorised mobile applications.
Cybersecurity experts warned that installing unverified apps directly exposes bank accounts and personal data to serious risk. Vigilance, they said, remains the most effective defence against such frauds.
Investigators added that efforts are underway to identify the perpetrators and trace the siphoned funds through banking channels.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
