What appeared to be a routine online courier booking turned into a costly cyber fraud for a retired Army officer in Chandigarh. An 82-year-old former Army officer allegedly lost more than ₹12 lakh after cyber criminals tricked him into downloading a malicious APK file on his mobile phone. Investigators say the file compromised his banking details and enabled a series of unauthorised transactions from his account.
Retired Colonel’s Blue Dart Courier Search Turns Deadly
According to the complaint, the victim, Colonel Rajbir Singh Duggal, was trying to send a parcel from his residence to Pune. While searching the internet for the contact number of a courier service, he came across a phone number that appeared to belong to Blue Dart. When he called the number, his call was allegedly connected to a person who introduced himself as an online executive of the courier company.
APK Malware Trap: ₹10 Payment Leads to ₹12 Lakh Theft via Stolen OTPs
During the conversation, the caller told him that a nominal online payment of ₹10 was required to confirm the courier pickup request. The victim initially attempted the payment through his SBI account, but the transaction failed. He later completed the ₹10 payment using his HDFC credit card.
FutureCrime Summit 2026: Registrations to Open Soon for India’s Biggest Cybercrime Conference
Shortly after the payment, the same individual contacted him again through WhatsApp. The caller claimed that the courier pickup process required downloading a mobile application and sent a link containing an APK file. Believing it to be part of the booking process, the victim downloaded and installed the file on his smartphone.
Initially, there were no visible signs of suspicious activity. However, within a short time, several unauthorised transactions began taking place from his bank account. Before he could react, more than ₹12 lakh had been transferred through multiple transactions to different accounts.
How APK Malware Exploits Android Permissions for Banking Fraud
Preliminary technical examination revealed that the APK file was actually a piece of malware specifically designed to gain control over the victim’s mobile device. Once installed, the malicious application was able to obtain access to key features of the phone, including reading SMS messages, monitoring notifications and capturing on-screen activity.
Cyber experts explain that such malicious applications often exploit Android’s accessibility permissions. When users unknowingly grant these permissions, the malware can remotely view the phone screen, record user actions and intercept sensitive data entered into banking applications.
By exploiting these permissions, cyber criminals are able to capture login credentials, passwords and one-time passwords (OTPs) used during banking transactions. This allows them to initiate financial transfers without the victim’s knowledge.
In this case as well, investigators suspect that once the APK file was installed, the attackers gained remote visibility of the victim’s device activity. They allegedly used the stolen credentials and intercepted OTPs to carry out multiple transactions and siphon off funds.
Expert Warnings: Avoid Unofficial APK Files and Verify Courier Contacts
Renowned cyber crime expert and former IPS officer Prof. Triveni Singh says such frauds highlight the growing sophistication of cyber criminals. According to him, fraudsters are increasingly combining technical tools with social engineering tactics to manipulate victims into installing malicious applications.
He warns that APK files shared through messaging platforms under the pretext of courier services, banking updates or delivery confirmations can be extremely dangerous. Once installed, such malware can effectively give attackers control over the device and access to sensitive financial information.
Cyber specialists advise the public to exercise caution while searching for customer service numbers online. Instead of relying on numbers found through search results, users should verify contact details directly through the official website or mobile app of the service provider.
They also stress that APK files from unknown or unofficial sources should never be downloaded or installed on mobile devices. With smartphones increasingly storing banking data, identity details and personal information, a single careless download can expose users to significant financial risks.
Experts emphasise that vigilance remains the most effective defence against cyber fraud. Avoiding suspicious links, verifying service contacts and refusing to install unknown applications can significantly reduce the chances of falling victim to such scams.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
