Aprajita Sharma, a journalist from Delhi, came close to losing significant sums of money when she unknowingly encountered an APK (Android Package Kit) fraud while tracking a courier. The incident occurred in early August when Sharma, waiting for a package delivery, turned to the India Post website for updates but found none.
In search of a customer care number, she was directed to a fraudulent website via Google Search, which nearly led to her bank account credentials being compromised.
“The customer care number on the original website did not work so I got it from another site listed on Google Search, not realising it would be a trap,” Sharma told Decode.
The person who answered the call told her that we would receive a call back. Five minutes later, Sharma received the call and was informed that the package was listed as pending.
She was then asked to update her address online, which required a small payment of Rs 5 to India Post. However, things took a suspicious turn when the person instructed her to download an APK file and make the payment through a UPI ID.
"In my desperation, I asked him to explain the whole process. The supposed executive sent me an APK file via WhatsApp and also connected over a WhatsApp video call for video KYC," she recounted.
Assuming this was part of the standard procedure, she granted permissions after downloading the file. However, she stopped midway upon noticing the Rs 5 payment was being made to 'Mukesh Yadav' instead of India Post.
"At that point, I was certain this was an individual and not someone from India Post, as the payment should go to the India Post UPI ID. I got suspicious and questioned the person," the journalist said.
The person immediately hung up. Shortly after, her phone started lagging. Sharma quickly deleted the APK file, switched off her phone, and contacted her banks to freeze all accounts.
"Thankfully, I didn’t lose any money," she added.
She later got to know that the scammer had tricked her into installing a keylogger in her mobile via the APK file. A keylogger is a software tool that records every keystroke made on a computer or mobile device. It can track everything a user types, including usernames, passwords, credit card numbers, and other sensitive information.
If Sharma had completed the transfer, the scammer would have documented her payment details and passwords, allowing money to be siphoned off from her account.
Common Types of APK Frauds You Should Know
APK fraud involves the distribution of malicious files that mimic legitimate applications, deceiving users into installing software that can steal personal data or hijack their devices.
According to Ashish Jha, co-founder of cybersecurity firm Bluefire Redteam, these files are often distributed via platforms like WhatsApp, Telegram, or even through compromised Wi-Fi networks. They are commonly used for credential harvesting or data theft.
Jha added, “They can also impersonate legitimate apps, particularly those related to banking or finance, and be surreptitiously installed on mobile devices.”
An X user had shared a similar incident where his father had installed an APK application called VSESSL-PM, which he received on a WhatsApp group where stock market tips were exchanged. The file was actually a “replica of Vadodara Stock Exchange limited (VSEL)”.
The victim was shown false IPO stock purchases with profit and loss details. When he tried to withdraw, he realised the shares were never bought. Over a month, more than Rs 65 lakh was transferred into a fake account.
He was deceived through phone company videos, presentations, and polite customer support, leading him to invest.
Another X user had flagged receiving a “doggy APK file” attached to a message supposedly from Vahan Parivahan, a government led initiative for vehicles. The message said that the user must clear the fine imposed on him “due to over speeding”.
Earlier, Decode had reported on the increasing number of fraudulent WhatsApp messages with APK files attached, urging users to complete their KYC (Know Your Customer) to avoid having their bank accounts suspended.
How can fraudulent APK files affect you?
Sharma’s ordeal was with a keylogger APK file, but that is just one of the tactics to infiltrate the privacy of a device. There are other ways too.
SD card reader- The APK file can ask for the access to read the SD card of the device. A mobile SD card stores media files (personal photos, videos, documents), backups, application installations and other important downloads.
Spyware- A malicious surveillance or a spyware tool can also be installed in a mobile via an APK file. Such tools can be used to monitor user behaviour or keep a tap on call logs.
Botnet- A botnet is a network of compromised devices (also called bots), controlled remotely by a hacker (botmaster) to carry out malicious activities. If a botnet is installed on a device through a malicious APK file, it can compromise personal data or use the infected device to send spam and phishing emails, spreading malware to other devices.
Screen recording- An APK file used for screen recording is an application package that allows scammers to record the screen activity of the infected device. These screen recording applications can capture everything displayed on the screen, including interactions with apps, videos, photos, or even phone calls, depending on its capabilities.
How to stay safe from rising APK frauds?
The incidence of APK frauds is on the rise, mirroring the broader surge in cybercrime across the country. As more people adopt digital platforms for banking, e-commerce, and communication, cybercriminals are increasingly exploiting this channel to distribute malicious software.
Recently, both ICICI bank and Punjab National Bank, had advised customers against installing any suspicious or malicious APK applications on smartphones, as it could result in potential hacking and financial loss.
To avoid falling into such traps, Ashish Jha warned individuals against downloading files from third-party libraries or stores. "One must always opt for applications from trusted app stores, and double-check the app developer’s credentials,” he said.
The cybersecurity expert also recommended being cautious when granting permissions after installing an app. “If an app doesn’t need access to your contacts or media, be suspicious of why it’s asking for it,” he said.
In the event a device is compromised, a factory reset is advised to remove malicious software. "However, malwares have become so advanced that they may still find ways to persist on the device," Jha added. He advised users to consider mobile security tools like Trend Micro or Bitdefender.
Reflecting on the incident, Sharma said the scammers could have easily emptied her bank account. "I was fortunate to catch something wrong in the payment process. However, my mistake was downloading the APK file in the first place."
She added, “It’s essential to question whether online instructions are coming from a legitimate source, no matter how convincing they seem.”
Essential Tips to Stay Safe from APK Fraud
- Download from trusted sources: Only use official app stores and verify the developer’s credentials.
- Be cautious with permissions: Avoid apps that unnecessarily request access to contacts or media.
- Factory reset if compromised: A reset may help remove malware, though advanced threats can persist.
- Use mobile security tools: Tools like Trend Micro or Bitdefender can offer protection.