WhatsApp groups used by ministers, legislators and political media teams in Telangana were infiltrated early Sunday morning by an unknown actor who seized administrator privileges, renamed groups after the State Bank of India (SBI) and pushed a malicious Android application disguised as an official banking tool.
Public relations officers (PROs) responsible for moderating the groups said they first noticed the breach when an unrecognized Indian number, +91 94903 73242, appeared in multiple groups without authorization. The intrusion quickly escalated: the hacker stripped existing admins of their rights, swapped group names and icons with SBI branding, and posted an “.apk” file urging members to update their Aadhaar details to avoid account suspension.
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
Political Circles and Media Groups Targeted
Among the affected groups were those managed by cabinet ministers, MLAs, district political bodies and their communication teams. Several journalists embedded in these groups also received the malicious prompt, intensifying concerns about a coordinated social-engineering attack.
The message sent by the attacker—written in formal banking language—claimed that the recipients’ SBI transactions had been “put on hold” and that their accounts would be blocked unless they installed an “SBI AADHAR UPDATE” app. The application, cybersecurity analysts say, is likely a credential-stealing payload designed to harvest mobile banking information.
Groups belonging to organizations such as the Vishwa Hindu Parishad (VHP), All India Youth Federation (AIYF), community associations and local administrative forums also reported unauthorized access attempts.
Admins Scramble to Regain Control
Throughout Sunday, PROs attempted to lock down their groups, manually expel the rogue number and restore administrative permissions. By evening, many succeeded, but several groups had already experienced temporary shutdowns or lost message archives due to the attacker’s modifications.
The episode underscores the administrative vulnerabilities of large WhatsApp groups—often used as de facto communication channels between politicians, party workers and journalists. Security experts warn that even a single unauthorized addition can lead to cascading breaches.
Experts Call for Stronger Group Controls
Cybersecurity specialists said the method used—a direct group insertion likely enabled by previously leaked invite links—was a reminder that WhatsApp group admins must tighten controls.
They recommended:
-
Requiring admin approval for new members
-
Disabling public or forwarded invite links
-
Using invite-only access and regenerating links periodically
-
Monitoring for unfamiliar numbers or unexplained role changes
-
Avoiding installation of “.apk” files shared in groups
Experts added that political and organizational WhatsApp groups face elevated risk because they centralize sensitive communication, contact lists and media files.
Investigation Yet to Begin
Authorities have not traced the origin of the number used in the breach, and no police complaint has been filed as of Sunday evening. Digital forensics teams say such attacks may be probing exercises aimed at delivering broader malware campaigns.
For now, officials are urging political staffers and journalists to exercise caution. “One malicious file installed on a phone inside these groups can have a domino effect,” said one senior cybersecurity consultant. “These are high-visibility targets.”
The incident highlights growing concerns about the security of messaging platforms as they become essential tools for political communication and public outreach.
