InstallFix and Claude Code: Fake Install Pages Lead to Compromise — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 11, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: InstallFix and Claude Code Phishing Scam Targeting Indian Users with Fake Install Pages

A new phishing scam called InstallFix and Claude Code is fooling Indian internet users by tricking them into installing fake software that compromises personal data and finances.

What Is the InstallFix and Claude Code: Fake Install Pages Lead to Compromise?

The InstallFix and Claude Code scam is a high-risk phishing attack primarily targeting Indian smartphone and PC users. Fraudsters create convincing fake installation pages—often disguised as legitimate app updates or essential software fixes. These fake pages mimic popular Indian apps or widely trusted services to lure victims into downloading malware or providing sensitive information.

This scam mainly targets users through WhatsApp messages, SMS, or misleading pop-ups on websites. Indians who look for quick fixes to app errors or those responding to urgent-sounding messages about device security are especially vulnerable. Given India’s growing smartphone penetration and reliance on digital payments through UPI, such scams have become alarmingly widespread, with thousands of cases reported in metro cities and smaller towns alike.

CERT-In (Computer Emergency Response Team - India) and I4C (Indian Cyber Crime Coordination Centre) have flagged this scam in multiple advisories throughout 2025 and 2026. They warn that the malware deployed via these fake installs can steal saved UPI credentials, Aadhaar-linked data, and even perform SIM swap attacks to bypass two-factor authentication.

How This Scam Works — Step by Step

1. Phishing Message Delivery: The victim receives a WhatsApp message, SMS, or email from an unknown or spoofed contact claiming their phone needs an urgent "InstallFix" or "Claude Code" update for smooth operation or security reasons.

2. Fake Install Page Link: The message includes a link leading to a website that looks like a legitimate app update page or software download center. The domain often mimics well-known Indian tech brands or government portals.

3. Prompt to Download Malware: The victim is asked to download and 'install' a recommended software package. The page may provide fake user reviews or a countdown timer to pressure the victim into quick action.

4. Installation and Permissions: If the user installs the file, it requests permissions to access contacts, SMS, device storage, and even accessibility features on Android phones.

5. Data Harvest and Exploitation: Once installed, the malicious app silently starts collecting sensitive data — including UPI PINs, bank OTPs intercepted via SMS, Aadhaar info, and authentication tokens.

6. Unauthorized Transactions and Identity Theft: Fraudsters use this data to initiate fraudulent UPI transactions or SIM swaps, locking the victim out of banking apps or hijacking Aadhaar-based services.

7. Continuous Exploitation: The malware may keep running in the background, harvesting more credentials or spreading to the victim’s contacts via WhatsApp to perpetuate the scam cycle.

Real Warning Signs to Watch For

• Messages urging immediate installation of “critical” updates from unknown or unofficial contacts.
• URLs that don’t exactly match official app stores or government websites (look for misspellings or unusual extensions like .xyz or .cc).
• Fake pop-ups or installation pages with poor grammar, spelling mistakes, or low-quality logos.
• Installation requests for apps outside the official Google Play Store or Apple App Store.
• Permission prompts asking for excessive access (e.g., SMS reading, contact list, device admin rights).
• Unexpected app installations with generic or unfamiliar names like “Claude Code” or “InstallFix” without a clear developer.
• Sudden requests for UPI PINs, OTPs, or Aadhaar numbers following installation.

What Happens to Victims

Victims can face severe financial losses in INR through unauthorized UPI transactions that drain their bank accounts. Since UPI transactions are instant and irreversible without the recipient’s consent, recovering stolen funds is difficult. Additionally, the stolen personal data can enable identity theft, leading to fraudulent loan applications or misuse of Aadhaar-linked services.

Emotionally, victims suffer from stress and fear of data misuse, especially when their SIM card is swapped. A SIM swap attack can block their access to mobile banking, phone calls, and two-factor authentication, complicating account recovery. Given the dependence on mobile phones for daily transactions in India, victims often feel vulnerable and helpless.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly advised users to download banking apps and software updates only from official app stores. RBI’s guidelines emphasize never sharing UPI PINs, OTPs, or Aadhaar details through messages or calls.

CERT-In’s advisories highlight the growing threat of malware introduced via fake install pages, urging Indians to be cautious of unsolicited update requests. The Indian Cyber Crime Coordination Centre (I4C) encourages users to report suspicious messages and faltering apps immediately.

For assistance, users in India can call the cybercrime helpline 1930 or RBI’s banking fraud reporting numbers to block payments and protect accounts.

How to Protect Yourself

1. Only Download from Trusted Sources: Use official Google Play Store, Apple App Store, or verified government portals for app updates or installations.
2. Double-Check Links: Inspect URLs carefully. Avoid clicking on messages asking you to install software urgently.
3. Don’t Share Sensitive Info: Never reveal your UPI PIN, OTP, Aadhaar number, or passwords in response to calls, SMS, or WhatsApp messages.
4. Use App Permissions Wisely: Decline any app installation that requests SMS reading, device admin, or contact access unnecessarily.
5. Enable Two-Factor Authentication: Use additional security layers for banking apps and UPI apps not reliant solely on SMS-based OTPs.
6. Regularly Monitor Bank Statements: Check for unusual transactions and report immediately to your bank and RBI’s helpline if detected.
7. Update Devices Securely: Always update your smartphone OS and apps directly through official settings menu or app stores.

What to Do If You’ve Been Targeted

• Immediately uninstall the suspicious app and disconnect from the internet to limit further data theft.
• Contact your bank to freeze UPI and banking services linked to your phone.
• File a complaint on the national cybercrime portal at cybercrime.gov.in providing all details and screenshots.
• Report the incident to the 1930 cybercrime helpline for guidance.
• Change all your passwords for Aadhaar-linked services, UPI apps, and email accounts.
• Inform your telecom operator if you suspect a SIM swap to block unauthorized mobile access.
• Keep all evidence intact — messages, links, and app details — to assist law enforcement.

Frequently Asked Questions

Q: Can InstallFix or Claude Code malware steal my UPI PIN directly?
Yes. These scam apps often request permissions to read SMS messages and monitor inputs, allowing them to intercept OTPs and steal your UPI PIN during transactions.

Q: If I installed such an app, can I recover lost money?
Recovering money is challenging but not impossible. Report immediately to your bank, RBI helpline, and cybercrime portal. Early action increases chances of freezing fraudulent transactions.

Q: Are these fake install pages common only in India or global?
While similar scams exist globally, this particular scam has been heavily reported in India due to our widespread UPI use and digital payment growth. CERT-In and RBI have highlighted India-specific risks.

Stay alert and protect yourself from scams like InstallFix and Claude Code by verifying suspicious messages before clicking or installing. When in doubt, always visit BharatSecure.app to check verified scam alerts and keep your digital life safe.