Pradeep Jain didn’t think much of the WhatsApp ping that arrived at dawn. Just another day, another unknown number, another random message. But the photo it carried—an image of an elderly man—would soon become the opening move in a meticulously orchestrated heist.
The resident of Jabalpur, Madhya Pradesh, never imagined that clicking on a harmless-looking image could drain his bank account. The photo accompanied a text: “Have you seen this person?”
It began on the morning of March 28. A call from an unknown number came in around 8 AM. The voice on the other end asked if he recognised the person in a photo sent via WhatsApp, then abruptly hung up.
The image Pradeep Jain received on WhatsApp
Curious, Jain opened the app and tapped on the photo. It showed nothing remarkable—just an unfamiliar old man. He shrugged it off.
He ignored the follow-up calls—four or five of them came from the same number. But around noon, while chatting with a friend, he inadvertently picked up the call. “I told the caller I didn’t know the person in the picture and disconnected,” he recalled.
His world flipped moments after that.
Three SMS alerts arrived in quick succession. One showed a Rs 1 credit into his Canara Bank account. The next two revealed a double punch: Rs 1,00,000 gone. Then Rs 1,10,000. Wiped out in minutes.
Panicked, Jain rushed to the bank. His account was frozen, but the damage was done. The money had vanished. His passbook showed cryptic entries: transactions under names like "IB IBF" followed by random numbers, traced later to a newly opened Canara Bank account in Hyderabad.
The withdrawals had been made from an ATM. Other transactions bore the names "Vishal Online" and "Jannatun Bibi Online".
"I begged the bank to help, but they just told me to go to the cyber helpline," he told Decode. "Even the helpline didn’t register my complaint. I had to physically submit a letter the next day."
It wasn’t until later that Jain and his son pieced together what had really happened.
An unfamiliar app called “Customer Service” had appeared on his phone. He hadn’t installed it. Its icon was eerily familiar—it used the same display picture as the scammer’s WhatsApp profile. That app, he realised, had been the silent culprit.
Somehow, in the aftermath of that photo tap, malware had snuck in—silently planting the app and giving the attacker full access to Jain’s accounts. “The scammer had access to my messages, call logs, even my OTPs,” he told Decode.
Even incoming verification calls from the bank were intercepted and answered by the scammer, pretending to be Jain. “When Canara Bank called to verify a transaction, it wasn’t even me who picked it up. The scammer answered, pretending to be me,” Jain said.
Worse still, the scammer used those intercepted details to activate net banking on Jain’s account—something he had never used—hotlisted his debit card to prevent him from blocking it, and siphoned off the funds.
“This was planned. Every move was calculated,” he recalled.
“WhatsApp’s security failed. A malware-ridden image shouldn’t be able to install an app on someone’s phone,” he told Decode. “Canara Bank allowed net banking access without any in-person verification or Aadhaar authentication. And even when I acted quickly, no one—not the bank, not the cyber cell—stepped in to stop it.”
But could a simple image on WhatsApp really unleash such chaos?
Cybersecurity experts explained that while the story is alarming, it isn’t as straightforward as it seems. Simply clicking an image on WhatsApp, they argue, shouldn’t be enough to install malware or trigger an attack.
Experts told Decode that scams like this often rely on techniques such as steganography and binding—both of which are known methods, but not as effortless to execute as they may appear.
Steganography and Binding: How Do They Work?
Steganography is the practice of hiding secret information inside something that looks normal—like hiding a message inside a photo, video, or audio file.
Unlike encryption—which scrambles data—steganography hides the fact that there's even a message at all. For example, someone might change tiny pixels in an image that look normal to the eye but contain hidden data.
On the other hand, binding refers to the attaching of a file, in this case a malicious APK file, with something harmless, like an image. Technically, both files are stitched together at the binary level. Once the image data ends, the malicious APK code embedded with it begins to execute.
But experts stress that simply receiving or even downloading such an image won’t trigger the malware. The victim usually has to interact with it—by clicking or allowing permissions—for the malware to activate.
Cybersecurity expert Rupesh Mittal explained that both techniques are easy to learn, with tutorials available online. “That’s what makes it dangerous. Anyone can try it,” he said.
Could WhatsApp Be the Source?
Speaking to Decode, security researcher Akshay explained why the said scam is unlikely to be pulled off via WhatsApp. He said, “WhatsApp uses end-to-end encryption so images are usually compressed on the sender's phone before being sent. But it's possible to bypass this compression using a modified app and send an uncompressed, potentially harmful image file.”
However, he pointed out that if the image is specially crafted to exploit a bug and the receiver's phone has an unpatched vulnerability—either in WhatsApp or the phone's image processing software—it could, in theory, trigger malicious code when opened.
The researcher added that modern smartphones have strong security features (like sandboxing and regular updates) that make such attacks very hard to pull off. “These kinds of exploits are rare and usually used by governments or advanced hackers—not against regular users.”
So, unless there’s a serious, unknown flaw on the receiver’s device, the idea that just downloading an image on WhatsApp can infect your phone is highly unlikely, Akshay concluded.
So how did the app appear on Jain’s phone?
One possibility is that the attacker tricked him into inadvertently granting permission. Some modified versions of WhatsApp can also send uncompressed files, bypassing image compression and allowing harmful payloads to slip through. But these methods require more than just a tap—they need participation, even if unintentional.
Mittal pointed out that the execution of this scam might not be possible without social engineering. “The malware can’t run on its own in the background. It still needs the victim to grant certain permissions or unknowingly install the application. Without that manual approval, Android won’t let it function.”
He noted that while WhatsApp had a known vulnerability back in 2022—where code could be executed during a video call—such cases are rare and have since been patched. “Today, unless the attacker convinces the victim to take a specific action, like installing an app or granting permissions, malware can't just magically start working.”
In 2022, WhatsApp fixed a serious security flaw that allowed hackers to take control of a person’s phone just by starting a video call. The bug—known as CVE-2022-36934—was caused by an error in the way WhatsApp handled video calls.
The Real Problem: A System That Failed
Jain’s story, experts say, isn’t just about a tech exploit—it’s about how easily people’s trust can be turned against them, and how weak our defenses are when that happens.
WhatsApp’s end-to-end encryption and platform safeguards are supposed to make such attacks difficult. Canara Bank’s systems, too, should prevent unauthorised net banking setup without Aadhaar-based verification. And the national cybercrime helpline should respond swiftly in emergencies.
Yet all three failed Jain when he needed them most.
In the end, the photo of the old man may have just been a bait. But it exposed far more than one man’s vulnerability. It showed the cracks in the walls that are supposed to keep us safe. “It’s not just the file—it’s the manipulation that makes people open it, click it, and allow it to do harm,” Mittal said.