How to Stay Safe from Downloading Fake Apps via APK Scams

Smartphones now carry everything we depend on – payments, banking apps, identity documents, work tools and private conversations. With a lot riding on one device, it’s no surprise that cybercriminals focus on exploiting fake apps and malicious APK files.

These scams often begin with something really insignificant: a link on WhatsApp or Telegram, an SMS claiming a missed traffic challan, or a message offering a “free upgrade” to a premium service, such as an OTT subscription. A single tap can hand over control of your phone to someone you don’t know.

What makes the APK downloads dangerous?

An APK (Android Package File) lets you install apps outside legitimate app stores such as Indus Appstore, Google Play Store, and Apple App Store. While sometimes used for justified reasons, these files bypass the security checks applied to apps on authorised app stores.

How the scam plays out

Fraudsters typically follow a clear sequence:

• The fraudster lures the victim by sending an SMS or forwarding a link – promising a reward, loan or penalty removal
• The link leads to a direct APK download of a fake app, instead of an authorised app store install
• A prompt asks for excessive permissions (SMS, Contacts, Accessibility, Notifications, etc.)
• The fake app either does nothing visible or crashes – while malware runs silently
• Behind the scenes: OTP interception, screen-overlay attacks, banking access, deleted alerts

The user realises only after unauthorised transactions or drained accounts.

How big is the threat?

In 2024, around 36 lakh cyber-fraud complaints were logged in India with estimated losses of ₹22,845 crore. Reported cybersecurity incidents doubled from about 10.29 lakh in 2022 to around 22.68 lakh in 2024.* 

Who is at risk?

While anyone can be targeted, the most common victims include:

• Professionals who use multiple apps and transact frequently
• Elderly or less tech-savvy users who may trust any message that appears official
• Young users seeking “free” apps or game upgrades without checking source

Warning signs to watch out for

• A download link sent via SMS or WhatsApp or any third party apps instead of an authorised app store like Indus Appstore
• App requests for permissions that don’t match its purpose (e.g., a flashlight app asking permission to access to the SMS app)
• Developer names that look misspelled, new or suspicious
• Offers or messages sounding too good to be true (“Free premium”, “Instant loan approval”, Wedding invitation, etc.)
• App shows minimal downloads, generic branding or poor user reviews

How to protect yourself

• Install apps only from official stores (Indus Appstore/ Google Play/ Apple App Store)
• Keep “Install Unknown Apps” disabled unless you know exactly what you’re downloading
• Avoid tapping on links/ files about challans, refunds, rewards or loans sent unexpectedly
• Review permissions requested by apps before enabling them
• Use a trusted mobile security tool to scan for behaviour that seems malicious

What to do if you’ve installed a fake app

• Uninstall the app immediately
• Temporarily turn off mobile data and Wi-Fi
• Change passwords for banking, email and payment apps
• Contact your bank/payment service provider to enable monitoring or freeze activity

How to Report 

If you suspect you have been targeted by a scam, report it immediately:

Reporting on PhonePe:

• PhonePe App: Go to the Help section and raise a complaint.
• PhonePe Customer Care: Call 80-68727374 / 022-68727374.
• Social Media Reporting:
  • Twitter: PhonePe Support
  • Facebook: PhonePe Official
• Grievance Redressal: File a complaint at PhonePe Grievance Portal.

Reporting to Authorities:

• Cyber Crime Cell: File a complaint online at Cyber Crime Portal or call 1930.
• Department of Telecommunications (DOT): Report suspicious messages, calls, or WhatsApp /Telegram fraud via the Chakshu facility on Sanchar Saathi Portal.

Final note

Digital payments and apps are safe when used with caution. The majority of APK/Fake App-based frauds occur because we act in a haste without proper verification due to either fear or excitement. Protecting ourselves from significant financial loss requires taking a moment to verify the app’s source, the developer’s email, the permissions requested, and the authenticity of any links. A crucial preventative measure is to completely avoid clicking on unknown links.

Stay alert. Question unexpected links. Download responsibly.

Important reminder — PhonePe never asks for confidential or personal details. Ignore all mails claiming to be from PhonePe if they are not from the phonepe.com domain. If you suspect fraud, please contact the authorities immediately.

*Sources: Press Information Bureau, The New Indian Express