You receive a WhatsApp message from what looks like Delhivery, Amazon, or DTDC: "Your parcel is held at our facility. Download our app to reschedule delivery." There is a file attached ending in .apk. You install it. Within hours, your bank account is drained.

APK scams are one of the most dangerous forms of mobile fraud in India because the malicious app works silently — reading your OTPs, monitoring your banking apps, and sending your credentials to scammers in real time. By the time you notice, the money is gone.

Never install an APK file sent via WhatsApp, SMS, or any link.

All legitimate apps are available on the Google Play Store or Apple App Store. No real company sends you an app as a file.

What Is an APK File?

An APK (Android Package Kit) is the raw installation file for an Android app — the equivalent of an .exe file on Windows. Google Play Store apps are also APKs, but they go through Google's security checks before reaching your phone.

When you install an APK from outside the Play Store (called "sideloading"), you bypass all of Google's safety checks. The app can ask for any permission it wants — and many users tap "Allow" without reading what they are agreeing to.

The Most Common APK Scam Types in India

1. Fake Courier Tracking Apps

The most widespread APK scam. You receive a WhatsApp message claiming your Delhivery, Blue Dart, DTDC, or Amazon parcel is stuck. The message includes a link or file: "Download our tracking app to reschedule." The app looks real, asks for SMS access to "verify your address," and immediately begins forwarding all your OTPs to the scammer.

📱 Fake courier WhatsApp message
"Dear Customer, Your package (AWB: 4521874X) could not be delivered. Please download the Delhivery app to update your address and reschedule. [link or .apk file attached]"

2. Fake Video Call or Screen Share Apps

Scammers posing as bank customer care or technical support ask you to install a "remote assistance" app — often a repackaged version of AnyDesk, TeamViewer, or a fake app entirely. Once installed, they can see your screen, including your banking app, UPI PIN entry, and OTPs.

3. Fake Bank or UPI Update Apps

A message arrives claiming your SBI YONO, HDFC, or Google Pay app is outdated and needs an urgent security update. The link goes to a fake website that serves a malicious APK designed to look identical to the real app. When you log in, your credentials are captured.

4. Fake Government Scheme Apps

During subsidy season, scammers circulate APKs claiming to be from PM-KISAN, Ayushman Bharat, or ration card portals. These typically harvest Aadhaar numbers and bank account details entered during "registration."

7 Red Flags That Expose a Fake APK

🚩 Sent via WhatsApp or SMS. Real companies do not distribute their apps as files over messaging apps. Every legitimate app has a Play Store listing.
🚩 The link does not end in play.google.com. Any app download link that is not the official Play Store or App Store is suspicious. Check the URL carefully.
🚩 It asks to "Enable Unknown Sources." When Android warns you that installing this app requires enabling unknown sources, that is your phone telling you this app has not been verified. Stop immediately.
🚩 Excessive permissions. A courier tracking app does not need access to your SMS, contacts, camera, or microphone. Any app asking for permissions unrelated to its stated purpose is a red flag.
🚩 Urgency in the message. "Install within 2 hours or your parcel will be returned" — this is pressure designed to prevent you from pausing and verifying.
🚩 The sender's number is a mobile number. Official courier or bank communications come from verified shortcodes (like DL-DELVRY), not from random +91 mobile numbers.
🚩 The app icon or name looks slightly off. Look for subtle misspellings — "Delhiverry," "SBI YoNo," "PhonePay." Scammers clone real app visuals but cannot use the exact name.

What the App Does After Installation

Once a malicious APK is installed and granted permissions, it typically:

⚠️ A malicious APK does not need you to do anything after installation. It works automatically in the background. The theft may happen days later, not immediately.

I Already Installed a Suspicious APK — What Now?

  1. 1 Turn on Airplane Mode immediately. This cuts the app's internet connection and stops it from sending your data to the scammer while you act.
  2. 2 Uninstall the app. Go to Settings → Apps, find the suspicious app, and uninstall it. If it has Device Administrator access (some malicious apps grant themselves this), go to Settings → Security → Device Admins and revoke it first.
  3. 3 Change all banking PINs and passwords from a different device. Use a laptop or a trusted friend's phone. Do not change passwords on the compromised phone until it is clean.
  4. 4 Call your bank's fraud helpline immediately. Ask them to freeze your account temporarily until you are sure no unauthorised access has occurred. Most banks can do this within minutes.
  5. 5 File a complaint at cybercrime.gov.in or call 1930. Provide the phone number the message came from, the APK filename, and any transaction details if money was moved.
  6. 6 Consider a factory reset. If you are not certain the app is fully removed, a factory reset is the safest option. Back up only photos and contacts (not apps) before resetting.

💡 To verify any courier or delivery message, go directly to the company's official website and use their tracking tool. Never click links or install files from messages — even if the sender name looks familiar.