One tap, big trap: APK links cost Telangana citizens ₹40.20 crore

A single tap on an APK link on their smartphones has cost Telangana citizens over a staggering ₹40.20 crore in the last 10 months alone. Despite numerous advisories issued by cybercrime police stations statewide and the Telangana State Cyber Security Bureau (TGCSB), these cases continue to surge.

Telangana has recorded a total of 4,100 cases of APK frauds so far in 2024. Lakhs of rupees are debited from victim’s bank accounts despite them not sharing any one-time password (OTP) with fraudsters.

What is APK?

An APK or Android Package Kit, is a package file format used by the Android operating system (OS) for distributing and installing mobile applications. It can be thought of as the Android equivalent of an executable file (.exe) on Windows. Such files harbour all the elements needed by an app to install on your device.

Typically, users can download APK files from the official source — Google Play Store. However, files can also be obtained from third-party sources which are not necessarily safe. When users attempt to install the APK file, they are warned about the risks of installing apps from unknown sources. Additionally, the app requests extensive permissions including access to the camera, microphone, location, contacts and SMS.

According to experts, cyber criminals alter APK files to include malware which are sent via messages crafted to look legitimate, often mimicking official communication styles. In many cases, they convert a webpage into an app and the code is later altered to hack into the user’s device. This takes less than a few minutes even for a layman and such fraudulent apps are often hosted on random domains for free.

Meanwhile, Google Play Store is also actively removing applications which may appear genuine but are linked with online gaming or scamming links or unauthorised webpages.

For instance, on November 13, a victim from Hyderabad received a call from an unknown number asking the victim to increase credit card limit. After ‘verifying’ the personal details, the victim was instructed to install an APK file sent via WhatsApp. From the outside, the link appeared to be a genuine link from Axis Bank. However, within minutes of installing it, the victim lost ₹1.18 lakh from his credit card. This is among the 106 cases booked by the Hyderabad Cyber Crime police this year.

Fortunately, the victim’s prompt reporting led to the entire money being received back within 24 hours, that too without a court order.

The National Cybercrime Reporting Portal (NCRP) team of the Hyderabad Cyber Crime police uses sophisticated scanners and anti-virus to remove the malware from the victim’s mobile device, which is then formatted. The investigation revealed that the debited amount was used for multiple purchases on the popular e-commerce platform Flipkart. The police immediately issued notices to the concerned authorities to block the transactions, and the entire amount was reverted to victim’s Axis Bank account on November 14.

Fraudsters use multiple Modus Operandi (MO) including KYC update, online order refunds, delivery location updates from fake India Post, FedEx and other courier services, Aadhaar card update, new credit card application, stock marketing and trading applications to get victims to install such links.

The cybercrime police have warned of a wide range of threats including data theft (in which fraudsters steal personal and financial information, leading to identity theft and significant financial losses), device control (in which hackers can gain complete control over your device leading to unauthorised transactions) and reputation damage (in which sensitive or personal information is leaked).

Officials have advised citizens to not click on any suspicious links or allow permissions to sensitive information on devices.

Published - November 14, 2024 08:06 pm IST