APK-Based Scams: How Fraudsters Steal Your Money Without an OTP

My Story: How I Got Scammed

#

On July 13, 2024, I became a victim of financial fraud involving my RBL credit card. That morning, I received a call from an unknown number. The person on the other end introduced himself as an RBL Bank representative. He told me that since I had not been using my RBL credit card, a penalty would soon be deducted as an annual charge unless I activated it or made a transaction.

He then sent me a link via WhatsApp, asking me to install an APK file named RBL CREDIT CARD SETTING to activate my card. At around 11:16 AM, I clicked on the file and followed the instructions displayed on my screen. Shortly after, I started receiving multiple OTP requests via SMS for transactions linked to my credit card. Since I had not initiated any transactions, I did not share any OTPs. However, to my shock, two unauthorized transactions had already gone through—one for ₹38,400 (Transaction ID: MTXXXXXXXXXXXXXXX705) and another for ₹21,000 (Transaction ID: MTXXXXXXXXXXXXXXX370).

At first, I couldn’t understand how the fraud had happened. The app seemed legitimate, but after discovering the unauthorized transactions, I realized it was a scam. I immediately reported the incident to my bank and the Cyber Crime Department, requesting an immediate reversal of the disputed amounts.

How This Fraud Happened

#

This type of cyber fraud is known as APK-based phishing or malware fraud, where fraudsters trick victims into installing a malicious application that steals sensitive information. Here’s how this type of fraud typically happens:

1. Impersonation: Fraudsters pose as legitimate bank representatives and create a sense of urgency, often warning about penalties or account restrictions.
2. Social Engineering: Fraudsters manipulate victims by pretending to be trusted sources, such as bank representatives, and create a sense of urgency. They convince the target to install an APK file or follow specific steps under the pretext of avoiding financial loss or activating a service. This psychological manipulation makes victims act quickly without verifying the authenticity of the request.
3. Malware Installation: The APK file contains hidden malicious software that, once installed, gains unauthorized access to the victim’s phone data. It can read SMS messages, capture keystrokes, and even enable remote access, allowing fraudsters to steal banking details and intercept OTPs. Additionally, fraudsters may use well-known screen-sharing apps such as AnyDesk, TeamViewer, and QuickSupport to gain control of the victim’s device and extract OTPs or other sensitive details in real time.
4. Data Theft: The malicious app collects banking details, including card information, stored OTPs, or autofill credentials, without the user’s knowledge.
5. Unauthorized Transactions: Even if victims do not share OTPs, the malware can intercept them in the background, enabling fraudsters to complete fraudulent transactions.

Warning Signs: When to Exercise Caution

#

• 🔴 Unsolicited Call: Receiving a call from an unknown number claiming to be a bank representative.

• 🔴 Urgent Threat or Penalty: Being told that inaction will result in penalties, charges, or account suspension to create pressure.

• 🔴 Suspicious Links or APKs: Being asked to download apps or files (like an APK) from unofficial sources instead of official bank channels.

• 🔴 Unauthorized Transactions: Experiencing charges or transactions without initiating any activity, signaling potential compromise.

• 🔴 Overly Convincing App Appearance: Apps that appear legitimate but are used to capture credentials or bypass security.

How to Prevent Such Fraud

#

If you want to protect yourself from similar scams, follow these preventive measures:

1. Never Install Unknown APK Files: Banks never ask customers to install apps via links or third-party sources. Be cautious if an app asks you to change your phone settings to allow installation from unknown sources, as this is a red flag for malware. Always download official banking apps from Google Play Store or Apple App Store. Banks never ask customers to install apps via links or third-party sources. Always download official banking apps from Google Play Store or Apple App Store.
2. Verify Calls and Messages: If someone claims to be from your bank, independently verify their identity by calling the official customer service number. Do not rely on Google searches alone, as fraudsters often place fake customer service numbers in ads to deceive people. If you are not technically conversant, visit the bank physically to obtain the correct contact details or ensure you are visiting the bank’s official website for accurate information.
3. Check App Permissions: If an app asks for access to your messages, contacts, storage, or screen sharing, be cautious. Most banking apps do not need such permissions. If you are unsure, avoid installing the app or ask someone knowledgeable to check its legitimacy before proceeding.
4. Enable Transaction Alerts: Keep SMS and email alerts activated for all financial transactions to detect unauthorized activity as soon as it happens. These alerts allow you to respond quickly by reporting fraudulent transactions to your bank. Keep SMS and email alerts activated for all financial transactions to spot unauthorized activity instantly.
5. Secure Your OTPs: OTPs are meant for personal use only. Even if someone claims to be a bank employee, never share your OTP. Apart from malicious APKs, fraudsters use other methods to steal OTPs, such as IVRS (Interactive Voice Response System) calls where victims are tricked into entering OTPs, phishing emails that mimic legitimate banking communication, or fake customer service calls creating a sense of urgency. Be cautious of any unsolicited request for OTPs and always verify through official channels before responding.
6. Report Suspicious Activity Immediately: If you suspect fraud, reporting it on the cybercrime.gov.in portal is a must. Additionally, inform your bank and visit your local police station or cyber police station for further assistance.