The cyber wing of the Hyderabad police too recently issued a public advisory warning citizens to stay alert. The advisory cautioned that fraudsters are actively exploiting the festive season by circulating fake APK files and malicious links through WhatsApp, SMS, and emails, targeting unsuspecting online users and draining their financial and personal data.

What is an APK file?

An Android Package Kit or APK is a file used to install applications on your smartphones, especially on Android phones, much like an .exe file on a Windows computer. It contains everything an application needs to work, all packed into one file.

Usually, apps are downloaded safely from the Google Play Store. But APK files can also be downloaded from other websites or shared through apps like WhatsApp, SMS or even email. This is called sideloading.

While sideloading can sometimes be useful, it is risky. If the APK comes from an unknown or untrusted source, it may contain malware that can steal personal information, access your phone, or cause financial loss. That is why APK files should only be installed if the source is fully trusted, and ideally avoided altogether when received through messages or links.

Indianexpress.com spoke to cyber experts to know more about how APK files target unsuspecting users and how online users can stay safe from these attacks.

Cyber expert and legal consultant Tushar Sharma, who is the co-founder of The Organization For Enlightenment & Education (TOFEE), explained how the scam reaches unsuspecting victims.

“The scam typically starts with a friendly New Year message on WhatsApp: ‘Happy New Year 2025! Click here to see your special greeting.’ Sometimes it comes from an unknown number, but often it appears to be from someone familiar, a colleague, distant relative, or friend. In many cases I have looked at, the attackers used compromised WhatsApp accounts to spread the link, making the message seem trustworthy,” he said.

“Clicking on the link leads the user to a festive webpage with animations, fireworks, or New Year wishes in Hindi and English. The site then prompts the user to download an app to ‘view’ the greeting. This app is not from the Google Play Store. It is an APK file hosted elsewhere, and that is the trap,” Sharma said.

Speaking to indianexpress.com, Deepender Singh, a cyber expert with the Betul police in Madhya Pradesh, said earlier, APK files circulating on WhatsApp were sent using straightforward government-sounding names such as RTO Challan.apk, SBI Yojna.apk or KisanYojna.apk. “Out of fear or greed, people assumed it was a traffic challan or a message related to a government scheme and clicked on the APK,” he said.

“However, as festivals like Christmas and New Year approach, fraudsters have changed their strategy. The same APK files are now being shared under the guise of festival, with names like New Year Gift.apk, Christmas Greeting.apk or Last Year New Year Party Pics.apk, prompting people to click without thinking. The file names are chosen to make it seem like a photo or a memorable video sent by someone familiar,” Singh added.

The reality, however, is that whether the name refers to the Regional Transport Office (RTO), the government, or a New Year party photo, the file contains the same malware, he said. “Once installed, it can take complete control of the mobile phone and put everything from banking details to personal data at risk. Therefore, my clear advice is this: if you ever receive an APK file on WhatsApp, do not click on it at all, no matter what name it comes with.”

What is malware?

Malware, short for malicious software, is intrusive software developed by cyber criminals to steal data or damage the system. Common malwares include viruses, worms, Trojan viruses, spyware, adware, ransomware, etc.

What happens after the APK is installed?

Sharma said that once the app is installed, it requests permissions that make little sense for a greeting card:

–          Access to SMS messages

–          Permission to read notifications

–          Access to contacts and storage

In reported cases across India, this access has been used to:

–          Read OTPs sent by banks and payment apps

–          Monitor transaction alerts

–          Take over WhatsApp accounts and resend the scam link

–          Steal contact lists to expand the attack

“In one case from North India, a user installed a New Year greeting app and noticed multiple small UPI transactions within hours. The malware had intercepted OTPs and allowed attackers to gradually test and drain the account to avoid detection. In another instance in a metro city, a victim’s WhatsApp account began sending New Year links automatically to all contacts, including family groups, turning one compromised phone into a distribution point for the scam,” Sharma informed.

Why this scam works well in India

There are several reasons why such attacks continue to succeed, especially in India, Sharma said, while listing the following:

High trust in WhatsApp: For many Indians, WhatsApp is the main communication platform for family, work, and banking alerts.

Android dominance: Most smartphones in India run Android, where APK installation can be misused if users ignore security warnings.

Festive distraction: During New Year celebrations, people are less careful and more likely to click links quickly.

Language localisation: Many scam pages use local languages and cultural references to seem authentic. The attackers don’t rely on sophisticated hacking. They depend on human behaviour.

Warning signs people often overlook

The warning signs are usually there in such scams, but are easy to miss:

–          A greeting that cannot be viewed without installing an app

–          A link that clearly does not belong to a familiar website

–          An app asking for SMS or notification access ‘just to show a message’

What to do if you clicked the link

If you or someone you know may have fallen for this scam:

–          Uninstall the suspicious app immediately

–          Disconnect the phone from the internet and run a trusted mobile security scan

–          Change passwords for WhatsApp, email, and banking apps using another device

–          Inform your bank and closely monitor transactions

–          Alert your contacts so they don’t trust messages coming from your number

–          Register a cyber complaint on cybercrime.gov.in or call the cybercrime helpline 1930 or visit a local police station

“Quick action can greatly reduce the damage. A simple rule to remember I often tell friends and family one thing every New Year, ‘No greeting needs an app.’ If a message wishes you well but asks for permissions, downloads, or changes to settings, it is not celebrating with you. It is targeting you. As we welcome the New Year, staying alert is just as important as staying connected. A moment of caution can protect your data, your money, and your peace of mind,” Sharma opines.

Stay safe online

As the world evolves, the digital landscape does too, bringing new opportunities as well as risks. With each passing day, scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. Stay tuned to our special feature series where we delve into the latest cybercrime trends and provide practical tips to help you remain informed, secure, and vigilant online.