A message, a link, an APK file spell ruin

“Subject: Traffic Violation Notice. Immediate Action Required…”

This notification popped up on the phone of a 29-year-old librarian from Karampura in west Delhi last month. When she opened WhatsApp, a message awaited her.

“Dear vehicle owner, we regret to inform you that a traffic violation has been recorded against your vehicle for violating traffic rules by jumping a red signal. Challan No. 123456, Amount due: ₹5,000. To view evidence and resolve the matter, download your challan. Failure to do so may result in further legal consequence,” the message read.

Startled, she clicked on what seemed like a blurry photo — supposedly evidence of her red-light violation. But the file wasn’t a photo at all. It was an APK — an Android Package file that installs an app on phones. Upon installing this file, she had unknowingly given cybercriminals the keys to her phone.

Within four days, the scammers siphoned ₹70,000 from her bank accounts.

“I usually don’t check my messages. After four or five days, I checked my bank balance and saw I had only ₹2,000 left. I was in shock,” she said.

Police confirmed the woman was the victim of what they call the “WhatsApp Blurr Scam” — a rising cyber fraud trend that uses blurry images, fake challans, and job offers to trick people into downloading malware-laced files.

The core of the scam lies in manipulating victims into installing a fake Android application (or an APK file) disguised as something trustworthy — a traffic challan, a job form, a bill receipt, or even an innocuous image.

A Delhi Police press note explained, “An APK file is a package that contains everything required to run an Android application. Normally, users download them from the Google Play Store, but fraudsters send these files through WhatsApp, Instagram, or SMS from third-party sources, tricking victims into installing them.”

Once downloaded and opened, the app asks for permissions — access to your SMS, contacts, call logs, camera, microphone, file storage, and even screen-sharing functions.

These permissions, if granted without a second thought, allow the scammer to remotely gain access to the device. They can intercept OTPs, clone your authentication apps, view banking information, read your text messages, and monitor your keystrokes — all without the victim ever realising.

“It’s not just that they gain access — they gain control,” explained Dharmendra Yadav, station house officer, Cyber Police Station (West). “The moment a person downloads the APK and accepts permissions, the phone is compromised. They can open your banking apps, initiate transactions, and even approve them using intercepted OTPs.”

“There are two main methods,” explained an officer from the Cyber Cell of the Crime Branch. “One is steganography — where a seemingly innocent image carries embedded code that activates once downloaded. The second, more common method, is to send an APK file disguised as an image or document. When the victim installs it, the malware gets full access to the device.”

In both cases, once clicked and installed, the malware silently activates and opens a backdoor into the victim’s phone — letting the app record calls, access photos, and intercept SMS, which include bank OTPs.

Most Android phones do display security warnings when installing apps from unknown sources. But scammers rely on the panic, urgency, or trust they manufacture — a traffic fine, a job offer, a failed delivery — to override caution.

The librarian said the blurry challan image and the official-sounding message made her believe it was genuine. “I thought I might have accidentally run a red light. The message looked official. I clicked without thinking.”

Cyber officers say such psychological tricks are key to the scam’s success. “They send something that feels urgent. It could be a fake electricity bill with a disconnection threat, or a message saying your bank KYC has expired. And people fall for it, especially when the file name looks official,” said an officer from the crime branch.

The Karampura librarian wasn’t alone. A senior cyber officer showed another complaint filed on April 17. The message, sent over WhatsApp, read: “Hi A****, Your CV has been shortlisted. We are pleased to inform you that your profile has been selected for 4 job opportunities. To proceed further, please download the form and pay a ₹500 subscription fee…”

The victim, lured by the promise of a job, clicked the link and downloaded the form. But it wasn’t a form — it was an APK file. The small payment, was a means of getting the victim to input banking details.

Within hours, ₹40,000 had vanished from their account.

“These messages are becoming more sophisticated,” the officer said. “And with scammers discarding WhatsApp numbers after just 2-3 successful cases, tracking them is difficult.”

A major breakthrough in January revealed the scope of the operation. DCP (southwest) Surendra Chaudhary said his cyber team arrested four men running a pan-India racket using APK scams. One of their victims was a 64-year-old retired DRDO scientist from south Delhi who was undergoing cancer treatment. The man, while searching for Yahoo customer care online, found a number via a Google ad. When he called, the “executive” on the other end asked him to fill a complaint form — sent via WhatsApp.

“He thought it was genuine and downloaded the file,” said inspector Vikas Kumar Buldak, who led the investigation. “But it was an APK. The fraudsters soon had access to his accounts and siphoned off ₹40 lakh, including fixed deposits.”

The accused had uploaded their fake numbers online, posing as customer care agents for Yahoo, Gmail, Paytm, SBI, and even electricity and gas providers. Once victims reached out, they were directed to download the malicious APKs.

Police tracked the origin of the scam to Deoghar in Jharkhand and Mewat in Rajasthan. Using call detail records and banking logs, they discovered the fraud was being coordinated from these locations.

On April 6, a team arrested Iqbal Ansari (27) from Deoghar. Further raids led to the arrest of Sajid Khan (32), Salman Khan (24), and Narendra Kumar (29). Police said Ansari’s number had been running in Google Ads to trap victims. Khan and Salman handled the calls, while Kumar helped in transferring money through mule accounts.

“These men also posed as BSES or IGL staff, offering new connections or utility settlements. The scam is constantly evolving,” said Buldak.

Cyber officers say the scam thrives because of how easily people give app permissions.

“When a victim installs the APK, it asks for access to the camera, mic, contacts, location, messages — everything. Most users just tap ‘Allow’,” said a Crime Branch officer. “With that, you’ve opened the door for the fraudster to see everything on your phone — including your OTPs.”

To protect yourself, police recommend zero tolerance toward messages from unknown senders. “If you get a Good Morning message or a file from an unknown number — just ignore or delete it,” an officer said. “Even seemingly harmless images may carry malware.”

The Delhi Police urged people to use the National Cyber Crime Reporting Portal (https://cybercrime.gov.in) to report such scams. Many victims, especially those from older age groups, don’t file FIRs out of embarrassment or confusion, police said.

As the scam spreads, cyber teams across Delhi are collating complaints and preparing to register more cases. “We’re seeing hundreds of such incidents. This is just the beginning,” said inspector Buldak. “The APK scam is not only a challenge of law enforcement — it’s a challenge of awareness.”