UditVani, Jamshedpur : The spread of malicious mobile applications (APK files) has emerged as one of the most alarming forms of cyber fraud in India, with recent investigations by TraceX Labs uncovering a surge in sophisticated trojan-based attacks targeting Android users.
Unlike the older days of phishing calls or SMS lures, cybercriminals have now turned to trojanised APK files disguised as legitimate apps, leveraging popular messaging platforms like WhatsApp and Telegram to infiltrate personal networks and spread malware at lightning speed.
How the Scam Works
The latest campaign involves fake traffic violation alerts sent via WhatsApp. Victims receive messages claiming to be official challan notifications, complete with ticket numbers and vehicle registration details. The link provided redirects to a malicious app masquerading as NextGen mParivahan — the genuine transport services app launched by the Ministry of Road Transport & Highways.
Once installed, this Remote Access Trojan (RAT)-laden app grants attackers complete control over the victim’s device, enabling them to:
Steal SMS messages and intercept one-time passwords (OTPs)
Manipulate mobile banking and UPI apps
Harvest sensitive personal and financial data
Activate the microphone and camera remotely
Spread malware further through the victim’s own WhatsApp and Telegram contacts
“Fraudsters no longer rely on random cold calls. They exploit trust within personal networks to spread malware. Our investigation shows scam hubs across India are playing a leading role in orchestrating these operations,” said a cybersecurity analyst at TraceX Labs.
Fake Apps Beyond mParivahan
TraceX Labs also identified a host of other fraudulent apps circulating online, including:
RTO Challan
E-Challan APK
Fake utility tools
Wedding Invitation apps
Adult-themed APKs such as Bhabhi Calling and Video Call APK
These apps appear harmless but once installed, they embed themselves into the system, often going undetected until financial or identity theft has already occurred.
The Bigger Picture
The Indian Computer Emergency Response Team (CERT-In) has repeatedly warned about trojanised APKs in circulation, particularly on third-party app stores and social media groups. According to cybersecurity experts, such malware-driven scams have already caused financial losses worth hundreds of crores of rupees nationwide.
Globally, trojan-based malware targeting Android has also been flagged by agencies like Europol and INTERPOL, with India being one of the most heavily targeted markets due to its rapidly growing digital payments ecosystem.
Why It’s Hard to Stop
The rapid spread of these APKs through WhatsApp and Telegram poses a unique challenge. Because the malicious links often come from trusted contacts or family groups, users tend to lower their guard. This creates a chain reaction of infections, making containment extremely difficult.
How to Stay Safe
TraceX Labs and security agencies recommend:
1. Download apps only from trusted sources like Google Play or Apple’s App Store.
2. Avoid clicking on links received via WhatsApp, Telegram, or SMS, even if sent by known contacts.
3. Be suspicious of apps asking for unnecessary permissions such as SMS access, storage, or accessibility services.
4. Keep devices updated with security patches and use a reliable antivirus scanner.
5. Regularly review app permissions on your device.
What To Do If Infected
Uninstall the suspicious app immediately.
Reset banking credentials and enable transaction alerts.
Temporarily disable UPI transactions if compromise is suspected.
Report the fraud via the National Cyber Helpline (1930) or at cybercrime.gov.in.
The Final Warning
Cybersecurity experts underline that the era of “cold-call phishing” is being replaced by a far more insidious threat — social engineering through trojanised APKs. The convenience of instant messaging platforms has become the fraudsters’ most powerful weapon.
“Awareness is the first line of defence,” TraceX Labs concluded in its report adding “Every unsolicited link or app download must be treated with caution. The battle against cyber fraud now begins in our own WhatsApp chats.”
