BHILWARA, RAJASTHAN — When a wedding invitation appeared in a women’s WhatsApp group, the message felt warm and familiar — a friend’s celebration, a digital gesture of connection before the festive season. More than 150 women clicked the link, downloading what appeared to be a digital wedding card. Within hours, several found their WhatsApp uninstalled, bank accounts frozen, and phones rendered useless.
It was not a wedding card at all. It was a fraudulent APK file, a malicious Android package designed to infiltrate phones, seize control of apps, and potentially siphon off funds. As cyber experts later warned, it marked the emergence of a new wave of socially engineered cyber scams, timed precisely with India’s wedding and festive season, when trust and digital sharing run high.
The victims—mostly homemakers and elderly people—had received the file through acquaintances’ phones, many of which had already been compromised. Once installed, the malware disabled critical functions and gained remote access to messaging and payment applications like WhatsApp and PhonePe.
How the Scam Spread Through Trust
For Lalita Khamesra, a housewife from Bhilwara, the deception began innocently. Before Diwali, she received a link from her friend’s number. “It looked real,” she said. “I clicked it, it didn’t open, so I went to sleep.”
By morning, her WhatsApp was gone—the app had vanished from her phone. When she checked her PhonePe account, she found that her PIN had been changed, though her State Bank of India’s security protocols prevented money from being transferred. She rushed to the bank and withdrew her ₹1.5 lakh savings.
Meanwhile, friends began calling her. They had received the same link — sent from her number. Lalita had become an unwitting conduit for the hackers. “I hadn’t sent anything,” she said. “I told everyone to delete the link and reset their phones.”
Within the Mahila Mandal WhatsApp group, panic spread. Some women narrowly escaped clicking, alerted just in time by messages from others. Those who had installed the APK immediately formatted their phones to regain control.
The Technology Behind the Trap
Investigators and cybersecurity professionals say this latest fraud relies on a simple but powerful social engineering strategy — manipulating trust. Cybercriminals send out an APK (Android Package Kit) disguised as a wedding invitation. Once downloaded, it requests permissions that grant the attacker full access to the phone: contacts, messages, files, and banking apps.
“People see a familiar name or a festive occasion and drop their guard,” said Ankush Saraswat, a cyber expert who has been tracking similar cases in Rajasthan. “In 90 percent of such cases, the breach happens because of user oversight. We give hackers control without realizing it.”
The malicious files often appear as innocuous links from friends or family. Once activated, they can remotely uninstall apps, change security settings, and even use the victim’s WhatsApp to spread the same link further. In one case, an elderly man reported that after clicking the link, his phone was completely locked—only the call function worked for over an hour before his son managed to remove the malware.
The attack’s timing is strategic. With “Savos” (auspicious wedding dates) beginning in early November, digital invitations are flooding WhatsApp and email inboxes. Criminals are exploiting this cultural rhythm, blending scams seamlessly into the season’s digital chatter.
Lessons from a Digital Season of Deception
Authorities are urging the public to treat unsolicited wedding or festival links with suspicion, even if they come from known numbers. Victims are advised to immediately unlink their phones from banking apps, call the cyber helpline 1930, and report cases via cybercrime.gov.in.
Experts suggest users check for suspicious files ending in “.apk”, “.exe”, “.pif”, “.vbs”, or similar extensions by searching their phone’s settings. These may indicate hidden applications with system-level permissions.
For many of the women in Bhilwara, the incident served as a harsh reminder that digital trust is fragile. “We never thought a wedding card could be a trap,” said Reena Jain, another group member. “We share joy online every day. Now we’re scared to even open a message.”
As the wedding season approaches, India’s cybercrime cells are bracing for more such incidents. What began as a season of celebration has turned into a lesson in digital caution — where even the most joyous invitation might hide a silent threat.
