Interstate Gang Defrauds 10 Lakhs with Fake APKs in Narnaul — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 23, 2026

Severity: HIGH | View Full Scam Details

2026 India Alert: Interstate Gang Defrauds ₹10 Lakhs with Fake APKs in Narnaul – A Rising Phishing Threat

A sophisticated phishing scam in Narnaul has seen an interstate gang cheat victims out of over ₹10 lakhs using fake mobile app downloads (APKs), highlighting a dangerous trend in digital fraud in India.

What Is the Interstate Gang Defrauds ₹10 Lakhs with Fake APKs in Narnaul?

This scam involves an organized group operating across multiple states in India who trick people into downloading fake APK (Android Package Kit) files. These malicious apps are disguised as trusted platforms, such as banking apps, UPI wallets, or government service apps, to steal sensitive financial data. In Narnaul, Haryana, victims reported losses totaling over ₹10 lakhs after unknowingly installing these fake apps on their smartphones.

Typically targeting everyday Indian users who rely heavily on mobile banking and UPI transactions, this scam preys on the trust placed in digital platforms amplified by increasing smartphone adoption. The scam coincides with the rise of phishing attacks involving APK files — a form of malware delivery that CERT-In has recently warned about in its cybersecurity advisories.

Authorities like CERT-In (Indian Computer Emergency Response Team) and the Indian Financial Crime Investigation Cell (I4C) have flagged this scam’s severity, urging users to exercise caution when downloading apps outside official sources like the Google Play Store. The Reserve Bank of India (RBI) has also reminded users to verify app authenticity to mitigate such frauds.

How This Scam Works — Step by Step

1. Initial Contact via SMS or WhatsApp: Victims receive a message claiming to be from a trusted entity— a bank, payment app, or government scheme (e.g., PM-KISAN or digital Aadhaar updates). The message includes a link to download a new “verified” app for faster access or security reasons.

2. Fake APK Download: Clicking the link takes the user to a website designed to look official. They are prompted to download an APK file that appears to be the legitimate app but is actually malware.

3. Permission Granting: When the user installs the fake app, it asks for excessive permissions, such as access to SMS, call logs, contacts, and screen capture, under the guise of “security verification.”

4. Data Harvesting and OTP Interception: Once installed, the fake app intercepts UPI PINs, OTPs sent via SMS, and other sensitive information. It may also initiate unauthorized transactions on the victim’s UPI or bank account.

5. Duping Contacts for Expansion: The app often uses the victim’s WhatsApp contacts to spread the scam further by sending similar fake app links.

6. Large Financial Loss: Victims soon notice unauthorized transactions, typically ranging from a few thousand rupees to lakhs, draining their bank accounts.

Real Warning Signs to Watch For

• Messages urging immediate action with threats of blocking accounts or missing benefits.
• Links to download APK files instead of directing to the official Google Play Store or App Store.
• Requests for unusual app permissions like SMS reading, screen recording, or remote access.
• Unofficial URLs or slightly misspelled website names in links.
• Apps asking you to disable Google Play Protect or device security settings.
• Rapid depletion of bank balance soon after app installation and UPI payments.
• Messages from unknown numbers or impersonating government departments without digital signatures.

What Happens to Victims

Victims of this phishing scam often face severe financial loss as the fraudulent app allows attackers to bypass Multi-Factor Authentication (MFA) by intercepting OTPs and UPI PINs. Unlike credit card fraud, recovering stolen money from UPI-based scams is complex because transactions are instantaneous and irreversible.

Emotionally, victims suffer stress and loss of confidence in digital payments, which are central to India’s push toward a cashless economy. The misuse of Aadhaar details and SIM swapping (where fraudsters hijack mobile numbers) compounds the damage, often leading to identity theft and further criminal activities.

What RBI and CERT-In Say

The Reserve Bank of India has repeatedly cautioned users to download banking and payment apps only from official digital stores like the Google Play Store or Apple App Store. In its guideline updates, RBI emphasizes that no bank or government body sends APK links through SMS or WhatsApp.

CERT-In has issued alerts regarding malicious APK files distributed via phishing messages to highlight the importance of verifying app sources and scrutinizing permissions requested during installation.

For help, RBI’s toll-free helpline is available at 1800-112-212, and CERT-In encourages victims to report incidents on cybercrime.gov.in or call the national cybercrime helpline at 1930.

How to Protect Yourself

1. Only download apps from official stores — Google Play Store, Apple App Store, or government portals like DigiLocker.
2. Do not click on links from unknown or suspicious sources, especially those asking you to download APK files.
3. Verify the sender’s identity when receiving messages related to banking or government schemes.
4. Scrutinize app permissions and reject apps asking for more access than necessary.
5. Keep your phone’s security features enabled, including Google Play Protect and system updates.
6. Do not share OTPs or PINs with anyone, including alleged bank officials.
7. Regularly monitor your bank and UPI accounts for unauthorized transactions and report discrepancies immediately to your bank.

What to Do If You’ve Been Targeted

• Immediately block your UPI and banking apps by contacting your bank’s customer service or using your app’s security settings.
• Change all related passwords and PINs, including Aadhaar-related biometrics linked services.
• File a complaint on the official portal: cybercrime.gov.in, choosing the relevant cybercrime category.
• Call the national cybercrime helpline 1930 to seek guidance on next steps.
• Inform your mobile operator about any suspected SIM swap or phone misuse to protect your number.
• Check with RBI’s banking ombudsman for dispute resolution if your bank does not respond quickly.
• Report to local police with all evidence, including screenshots, messages, and app details.

Frequently Asked Questions

Q1: Can I recover my lost money after falling victim to this fake APK scam?
Recovery is difficult because UPI transactions are instant and generally irreversible. However, you should immediately report to your bank and file a complaint with cybercrime authorities to increase the chances of recovery and assist in investigation.

Q2: How do I know if an APK is fake or malicious?
Fake APKs often come from links outside official app stores. They request excessive permissions like reading SMS, screen recording, or remote access. Always verify the source and never install apps from suspicious websites or messages.

Q3: What should I do if I accidentally installed a fake APK on my phone?
Uninstall the app immediately, disconnect your phone from the internet, and change all banking and UPI passwords from a secure device. Report the scam to your bank and cybercrime authorities without delay.

Stay alert to phishing scams like these to protect your money and identity. Verify suspicious messages or app links before taking any action. Visit BharatSecure.app to check if a message or link is safe — your first step to digital safety in 2026.