It began with a fake Mahanagar Gas message and a Rs 10 payment request. By the time Mumbai Cyber Crime Branch finished tracing the thread, it had found a network linked to 3,206 fraud complaints, Rs 43.25 crore in losses and a server database storing the most sensitive financial details of 8,609 people across India.
Six members of the interstate syndicate were arrested from Jharkhand and Delhi on Thursday. The case, registered at the Cyber Police Station, Western Division, Mumbai under Crime Register No. 81/2026, is one of the most significant APK fraud busts the city’s investigators have made this year.
How It Started
A Mumbai resident received a WhatsApp message purportedly from Mahanagar Gas Limited. It warned that his gas connection would be cut unless he updated his billing details immediately. He was directed to download an APK file and pay Rs 10 to complete the update. He complied. The malware installed itself silently. Fraudsters accessed his banking information and cheated him of Rs 2.35 lakh.
When investigators pulled the thread, what they found behind it was not a small operation.
What The Servers Contained
The forensic examination of the gang’s Google Firebase and Hostinger servers produced figures that stopped investigators. The servers held nearly 1.24 crore SMS records harvested from compromised devices. Those records included OTPs, banking alerts and sensitive financial messages. The database linked to 8,609 victims — and it did not just store phone numbers. It contained bank account details, ATM card information, PIN numbers, CVV details and UPI IDs. The gang had, in effect, built a comprehensive financial dossier on thousands of people without any of them knowing.
Investigators also recovered 111 fake APK files impersonating banks, the Regional Transport Office, Mahanagar Gas and other institutions. They found 83 package names linked to malicious applications stored in the gang’s own server database. Server panel login credentials and malicious URLs used by the accused were seized. Chat records from WhatsApp groups, Telegram groups and Telegram bots documented how the fake APK files were sold, circulated and distributed across the network.
The Six Accused
Based on technical analysis and digital tracking, the Cyber Crime Branch arrested the six accused from Jharkhand and Delhi. They have been identified as Arif Astun Ansari (28), Shaikh Belal Naushad (28), Mehboob Naushad Alam (26), Sajid Mansur Ali (21), Mohan Kushal Mahto (23) and Sunil Kumar Dashrath Soren (25). The arrested individuals included developers of the fake APK files, distributors of the malicious applications and those involved in sending the files to victims. All six face charges under the Bharatiya Nyaya Sanhita and the Information Technology Act.
The findings have been shared with the I4C for further action. The Cyber Crime Branch confirmed that 517 of the 3,206 linked complaints came from Maharashtra, with 93 from Mumbai alone. Respective state police departments have been notified.
Jharkhand’s Digital Crime Pipeline
The arrests from Jharkhand carry a familiar resonance. Just two days earlier, Ahmedabad Cyber Crime arrested a Jharkhand-based mastermind who ran a Telegram bot selling custom malware to nearly 400 fraudsters across India. The operational template in both cases is almost identical — fake utility apps, WhatsApp delivery, Firebase servers, OTP interception and remote banking access.
Jharkhand’s Jamtara district has long been the geographic heart of India’s organised telephonic fraud economy. What these back-to-back busts reveal is how that ecosystem has evolved from phone-based phishing into technically sophisticated malware development and nationwide APK distribution networks.
What You Must Not Do
Officials urged citizens not to install APK files received from unknown sources or extract ZIP files shared by unidentified persons. Do not share OTPs, ATM PINs or banking credentials with anyone. No bank, gas utility, electricity board or government agency will ever ask you to download an application through a WhatsApp or SMS link. Every legitimate application is available only on the Google Play Store or Apple App Store.
If you have already downloaded such a file, call 1930 immediately. Speed is the only advantage a victim has.
