Bengaluru: Cyber scamsters are targeting unsuspecting citizens by luring them with malicious third-party Android Application Packages (APKs).
The APK files are either built from scratch by those with programming knowledge or bought on the dark web.
The scamsters exploit victims’ lack of knowledge about third-party apps and create a sense of urgency, often through messages sent on WhatsApp or Telegram. Victims are tricked into clicking unknown links and downloading harmful software.
In two cases reported last week, the victims lost a combined Rs 14.76 lakh.
Ganapati R (name changed), a 57-year-old farmer from Basaveshwara Nagar, downloaded an APK file and lost Rs 11.97 lakh.
He received a WhatsApp message on May 20, asking him to “urgently” update his PAN card.
After clicking on the link and downloading the app, he was asked to enter his PAN, bank, ATM details and PIN. Minutes later, Rs 4.16 lakh was debited from his account. He then received a call from people claiming to be with ICICI Bank. As per the FIR filed on May 21, the caller told Ganapati “his PAN card is being examined and the money will be credited back”.
The scamsters also asked him to dial *21*89******13#. The code he entered unknowingly forwarded his calls to another number. In all, he lost Rs 11.97 lakh in multiple transactions from his bank account and credit cards.
In the second case, Raman S (name changed), a 31-year-old private firm employee from AECS Layout, lost Rs 2.79 lakh after downloading an APK file shared by people impersonating the ICICI credit card department, as per the FIR filed on May 22.
In both cases, the victims did not know they were downloading malicious apps.
Senior cybercrime officers told DH that APK files downloaded by the victims were modified and had access to their SMS and other data by default.
“When you install an APK from outside of PlayStore, they may have any backdoor access to the device. It’s like planting a Trojan,” a senior officer said.
“They don’t just have access to messages. If they have installed tools like Remote Access Tools, they can even take complete control of the phone. They will see everything your camera sees, hear everything your microphone hears and mirror the screen itself.”
Aroonav Das, a cybersecurity architect, said malicious apps don’t follow a consent policy. “The official apps show you what permissions they need (contacts, gallery, etc) and the user has to explicitly agree to grant permission. Third-party apps are not under any such restrictions so they can get the permissions directly,” Das said.
Tricks of the trade
The police officer quoted earlier said such malicious apps were sometimes developed by those with programming knowledge.
“Anyone well-versed with app development can develop or they (scammers) would have paid some youngsters to develop. They may also be bought on the dark web. Their servers are normally hosted in other countries, making them extremely difficult to trace,” the officer said.
Das said building apps from scratch required an expert programmer. “But these days, templates are available and can be bought on the dark web and customised.”
DH has learnt that these APKs are customised as per the fraudsters’ needs and the scam they run: The apps can mirror a bank’s landing page or any other app that makes financial transactions.
How to stay safe
- Never click on links or install apps sent by unknown people on WhatsApp or Telegram
- Always use trusted sources like PlayStore or App Store
- Factory reset the mobile device if third-party apps from unknown links are downloaded
- Alert the cybercrime police (1930) and inform the bank