A trusted pillar of India’s digital governance is facing a quieter, more insidious threat. As DigiLocker becomes central to daily life, cybercriminals are exploiting its familiarity—deploying lookalike apps and deceptive links that turn convenience into vulnerability
When Trust Becomes the Attack Surface
For millions of Indians, DigiLocker is no longer an abstract government platform but an everyday utility—a place to store driving licences, vehicle registrations, Aadhaar details, PAN cards and academic records. Designed as a secure digital vault, it has become emblematic of the Indian state’s push toward paperless governance.
That very trust has now become a point of attack. In recent months, cybersecurity officials and technology reporters have flagged a growing number of fake DigiLocker applications circulating online. These apps mimic the design and language of the official platform with startling accuracy, blurring the line between state infrastructure and criminal imitation. The danger, experts say, is not merely technical but psychological: users are primed to trust what looks official.
A Proliferation of Lookalike Apps
The problem escalated enough for India’s electronics and information technology authorities to issue public warnings. According to advisories from the Ministry of Electronics and Information Technology, several counterfeit DigiLocker apps have appeared on app stores and through direct download links, masquerading as legitimate updates or alternative versions.
Unlike typical malware, these applications often request a broad range of permissions—access to storage, messages, microphones, even cameras—far beyond what a document wallet should require. Once installed, they can quietly harvest identity data or serve as a gateway for broader financial fraud, including UPI and net-banking thefts.
Cybersecurity researchers note that the sophistication lies less in complex code and more in social engineering. A convincing logo, official-sounding developer names, and links shared via SMS or WhatsApp are often enough to bypass user skepticism.
How Users Are Being Lured In
Investigations into reported cases reveal a familiar pattern. Victims often receive messages urging them to “verify documents,” “restore access,” or “update DigiLocker services.” The links lead not to official portals but to third-party apps or cloned websites. In some cases, users upload sensitive documents directly into these fake platforms, believing they are complying with a government request.
The official DigiLocker service, developed by the National e-Governance Division under the Government of India, has repeatedly stressed that it does not ask users to upload documents via external apps or links. Yet the speed and scale of digital communication make such clarifications easy to miss.
The Stakes: Identity, Money, and the Dark Web
The risks extend far beyond a single compromised account. Once identity documents are captured, they can be repurposed for loan fraud, SIM card issuance, or the creation of shell bank accounts. Security analysts warn that stolen data is often bundled and sold on dark web marketplaces, where it fuels a broader ecosystem of cybercrime.
Authorities advise immediate action if a fake app is suspected: uninstalling the application, reviewing permissions, changing passwords linked to DigiLocker, Aadhaar, banking and email accounts, and scanning devices with trusted anti-malware tools. Suspicious activity can be reported through India’s cybercrime portal or the national helpline.
