Cybercrime

₹21 Lakh for a Traffic Challan? Mumbai Businessman Duped in WhatsApp APK Scam

Published

on

A Malad-based businessman fell victim to a WhatsApp-based cyber fraud, losing over ₹21 lakh after cybercriminals tricked him into installing a malicious APK disguised as a traffic e-challan. Mumbai Police have arrested a 25-year-old student from Surat, identified as a key participant in the sophisticated money-laundering network behind the scam.

How the Scam Unfolded

Investigators revealed that the 42-year-old victim received a WhatsApp message on November 17, 2025, while attending a family wedding in Gujarat. The message carried a file titled “RTO Challan”, appearing to be an official traffic fine notification.

Assuming the file was legitimate, the businessman clicked it, unknowingly installing a malicious Android Package (APK). The app granted attackers remote access to his device, including banking applications. Within minutes, ₹11.33 lakh was drained from his account and ₹10.39 lakh from his wife’s, transferred through a series of rapid transactions designed to avoid triggering alerts.

Fraud Discovered

The theft remained undetected until December 1, when the businessman visited his bank. Officials identified suspicious withdrawals and alerted him, prompting a complaint to Mumbai North Cyber Police and the Cyber Helpline 1930.

Technical analysis traced part of the stolen funds, approximately ₹8.5 lakh, to the account of Hardik Ashokbhai Borda, a 25-year-old BCom student from Surat who also runs a small online business. Authorities said Borda routed the stolen money through multiple accounts to obscure its origin.

APK Scams: A Rising National Threat

The Future Crime Research Foundation (FCRF) has identified APK-based scams as a growing cybercrime pattern across India. Criminals often impersonate government departments, banks, or courier services to exploit trust, using fake e-challans, KYC updates, and urgent notices to manipulate victims into installing malware.

Former IPS officer Prof. Triveni Singh noted that these attacks are particularly dangerous because they give attackers full remote control of victims’ smartphones. Fraudsters can read OTPs, capture PINs, operate banking apps, and execute high-value transactions in real time.

Cybersecurity experts say malicious APKs bypass official app store checks and request broad permissions, including SMS access, screen overlay, and accessibility services, enabling automated, undetectable transactions.

Police Advisory

Mumbai Police have urged citizens to remain vigilant:

  • Download apps only from official app stores
  • Keep “Install from Unknown Sources” turned off
  • Regularly review app permissions
  • Report suspected frauds immediately to 1930 or the nearest cyber police station

Authorities emphasize that awareness and caution remain the strongest defenses against fast-evolving cybercrime, highlighting how a single click can result in substantial financial loss.

Click to comment

Trending

Exit mobile version