India, August 2025: HDFC Bank, India’s largest private sector bank, advises customers to remain vigilant against APK (Android Package Kit) frauds. The aim is to increase awareness about such frauds to safeguard customers.
In an APK scam, fraudsters typically use social engineering tactics by impersonating bank employees or government officials. This involves the recipient of the message receiving a malicious APK file claiming to be from trustworthy sources. When a person installs these files, the fraudster gains full control of their phone. They can then redirect calls and text messages to another device and steal data from the victim’s phone. In many cases, fraudsters also access the victim’s bank accounts and carry out transactions without their consent.
The scam usually begins with fraudsters impersonating government officials, bank employees, or representatives of well-known companies under the pretext of performing tasks such as Re-KYC, payment of traffic fines, or refund of income tax. A message is sent to the victim containing a fake APK link. Once the victim clicks on the link, malware gets installed on their mobile phone without their knowledge, giving the fraudster complete access to the device. Within minutes, multiple unauthorised transactions often take place, leading to financial losses. Victims typically realise they have been duped only after receiving messages from their bank about money being debited from their accounts.
Fraudsters employ various tricks to lure customers. In one example, they reach out via phone calls, emails, or messages, claiming that the customer’s KYC needs to be updated immediately. They create a sense of urgency and fear that the account may get blocked. They then share fake APK links, often embedded with a bank logo, and prompt the victim to install the app. Once installed, the app requests sensitive details like account numbers, credit/debit card information, or OTPs, which are instantly stolen and misused for fraudulent transactions.
In another scenario, fraudsters impersonate transport authorities, such as the RTO, and send fake messages or emails about a pending e-challan. These messages contain malicious APK links that, when clicked, compromise the victim’s phone.
To stay safe, customers should avoid clicking on suspicious links or installing apps and files received via social media, SMS, or email claiming to be from institutions like the RTO, Income Tax Department, or bank officials. It is important to use reliable antivirus or anti-malware software that can detect and block harmful files. Customers should download apps only from trusted sources or official websites and avoid installing third-party apps based on phone requests from unknown persons. It is always advisable to verify the legitimacy of messages or emails through the respective official website. Any fraudulent or suspicious calls and messages can be reported on the Chakshu portal at https://sancharsaathi.gov.in/ or via the Sanchar Saathi mobile app.
HDFC Bank also urges customers to remain alert against other scams, such as “digital arrest” fraud, where fraudsters impersonate law enforcement or government officials and threaten victims with a digital arrest warrant for alleged tax evasion, regulatory violations, or financial misconduct. Investment scams are also on the rise, in which fraudsters promise unusually high returns on stocks, IPOs, cryptocurrency, and other investments through fake automated platforms promoted on social media. These scams exploit human emotions using the GTH method – Greed, Threat, and Help – to deceive victims.
In case a customer falls victim to online fraud, it is crucial to immediately report unauthorised transactions to the bank to block payment channels, such as cards, UPI, and net banking, to prevent further losses. Victims should also call 1930, the Ministry of Home Affairs (MHA) helpline, and submit a complaint on the National Cyber Crime Reporting Portal at https://www.cybercrime.gov.in.
