The Hindu: Published on 01 September 2025.
Why in News?
APK (Android Package Kit) scams have emerged as one of the fastest-growing cybercrime threats in India.
Parliament was informed about a 900% rise in cybercrimes between 2021 and 2025.
Recent reports show ₹779 crore lost in just six months (Jan–July 2025) due to APK fraud in Telangana alone.
Background:
APK files function like .exe files in Windows — they install applications on Android devices.
Fraudsters exploit this by creating fake apps resembling government portals, banks, or utilities.
These apps gain dangerous permissions (SMS, contacts, notifications, microphone, location) and secretly steal banking data, OTPs, and personal details.
Such apps are circulated via WhatsApp, Telegram, and social media with urgent, manipulative messages.
How the Fraud Works:
Bait – Victim gets a call or message claiming urgent action needed (bank account blocked, electricity bill pending, subsidy update).
Trap – A link is sent to download an app with an official-looking name and logo.
Exploit – Once installed, the app seeks routine permissions. In reality, it takes full control of the phone.
Execution – Fraudsters:
Drain bank accounts.
Close FDs.
Intercept OTPs.
Monitor private data in real time.
Money Laundering – Stolen money is routed via mule accounts, e-wallets, and converted to cryptocurrency, making recovery nearly impossible.
Who is Behind the Scam?
Local Sources (60–70%): Cybercrime hubs like Delhi NCR, Meerut, Jamtara (Jharkhand), and parts of UP.
International Sources (30–40%): U.S., U.K., and China.
Dark Web & Telegram: Used for selling pre-built APK kits, distributing fake apps, and sharing victim databases.
Only about 10 distinct APK files are being repeatedly modified and circulated, showing large-scale reuse.
Targeted Victims:
Victims are carefully profiled using leaked databases (from hospitals, malls, service portals, Just Dial).
Typical targets: high-income professionals such as doctors, teachers, bankers, real estate agents.
Messages are customised with partial personal details to increase trust and urgency.
Impact:
Daily Losses: ₹10–15 lakh per day; high-value scams can touch ₹30–40 lakh per victim.
Public Trust Erosion: People are losing confidence in digital systems.
National Security Risk: Large-scale foreign involvement makes it not just financial fraud but also a cybersecurity challenge.
Steps Taken by Authorities:
Cyber Forensics: Attempt to decrypt seized APKs. Success rate is low (20–30%).
App Removal: Google has removed nearly 50 malicious apps based on investigations.
Arrests: Mostly of mule account handlers, but masterminds (especially offshore) remain elusive.
Awareness Drives: Cyber bureaus are urging the public not to download apps from unofficial sources.
Challenges in Tackling the Scam:
Encryption makes APK malware hard to detect.
Anonymous developers and shell identities shield real fraudsters.
Cryptocurrency laundering prevents financial recovery.
Lack of real-time coordination between States, banks, telecom companies, and global platforms like Google.
Way Forward:
Public Awareness: Large-scale campaigns to educate users against downloading APKs from unknown links.
Tech Safeguards: Mandatory multi-level screening by Google Play Store before apps are published.
Data Protection: Stronger safeguards against leaks of customer databases.
Legal Reforms: Faster cybercrime reporting and stricter penalties for mule account operators.
International Cooperation: Joint investigations with countries where APK networks originate.
In summary:
APK scams represent a dangerous convergence of fraud, technology, and organised cybercrime networks. With daily financial losses in crores and increasing sophistication, they demand urgent public awareness, stronger regulation, and coordinated global action.
