🔔This Durga Puja, Invest in your future with our exclusive festive offer. Get up to ₹15,000 off on WBCS ONLINE CLASSROOM PROGRAMME with coupon code Puja15K.

APK SCAM AND CYBER FRAUD: MEANING, CHALLENGES, WAY FORWARD

India has reported over 12.47 lakh cybercrime cases in the last six months, with daily financial losses ranging from ₹10 to ₹15 lakh. The country's framework includes the Information Technology Act, Bhartiya Nyaya Sanhita, National Cyber Security Policy, and Cyber Swachhta Kendra. However, outdated laws, low digital literacy, and jurisdictional complexity, contribute to vulnerabilities.

Description

Copyright infringement not intended

Picture Courtesy:  THE HINDU

Context

The APK scam increasing due to rapid digital adoption, low user awareness, and sophisticated criminal tactics.

What is APK Scam?

It is a type of Cyber fraud, which involves malicious Android Package Kit (APK) files. Fraudsters exploit these files to spread malware.

How it work?

Step 1 => Scammers contact through call or message, warning victims about issues like blocked bank accounts, missed government subsidies, or pending electricity bills.

Step 2 => They Send a link of an app which mimic official portals of trusted institutions such as government subsidy schemes (e.g., PM-Kisan), tax refund platforms, electricity boards, or banks requesting KYC updates.

Step 3 => Once installed, these apps request permissions like access to contacts, SMS, notifications, call logs, location, and the microphone.

Step 4 => App runs in the background, monitoring, mirroring, and mining all data, transmitting data to external servers operated by fraudsters.  

Cyber Fraud in India 

National Cyber Crime Reporting Portal registered over 12.47 lakh different types of cybercrime cases in six months of 2025. Officials report 20 to 30 cases daily, with daily financial losses between ₹10 and ₹15 lakh. (Source: The Hindu)

Officials estimate that 60% to 70% of malicious APKs used in India are developed locally in Delhi NCR, Meerut, Uttar Pradesh, Jamtara, and parts of Jharkhand.  (Source: The Hindu)

  • Remaining 30% to 40% originate internationally, with traces leading to the U.S., U.K., and China.

Telegram channels and dark web marketplaces serve as primary distribution channels, delivering pre-built APK kits and modules for fee.

According to the Home Affairs Ministry, Indians lost Rs 22,845.73 crore to cyber criminals in 2024.

According to CloudSEK's ThreatLandscape Report 2024, India emerged as the second most targeted nation for cyber attacks, following USA.

Framework in India to fight against Cyber Fraud/Scam

Legislative Framework

Information Technology Act, 2000 (IT Act): Regulates e-commerce, e-governance, and e-banking, impose penalties and punishments for cybercrimes.

  • Section 43 imposes penalties up to Rs 1 crore for unauthorized access, virus introduction.

Bhartiya Nyaya Sanhita (BNS): Provisions related to theft, cheating, dishonest misappropriation, and mischief, applicable to cyber incidents

Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021: Establishes a legal structure for social media platforms, OTT platforms, and digital news providers, including data safeguarding and complaint redressal.

National Cyber Security Policy 2023: Aims to safeguard information and infrastructure, prevent and respond to cyber threats, minimize vulnerabilities.

Proposed Digital India Act: Set to replace the IT Act, focusing on online safety, trust, accountability, open internet, and regulating new technologies like AI and blockchain.

Institutional Framework and Initiatives

Computer Emergency Response Team – India (CERT-In): Providing guidelines for monitoring, detecting, preventing, and managing cybersecurity incidents.

  • Analyzes threats, responds to incidents, coordinates management efforts, conducts forensics, and recommends mitigation measures.  

National Critical Information Infrastructure Protection Centre (NCIIPC): Established under the IT Act to safeguard Critical Information Infrastructure (CII), covering sectors like power, banking, telecom, transportation, and government.

National Cyber Crime Reporting Portal: Allow citizens to report cybercrime cases.  

Cyber Swachhta Kendra: Detects malicious programs and provides free tools for malware cleaning, including M-Kavach for mobile threats.

Reserve Bank of India (RBI): Issued a comprehensive Cyber Security Framework for all scheduled commercial banks.

International Coordination: CERT-In coordinates with counterpart agencies in foreign countries on cyber incidents originating outside India.

Challeneges

India lacks comprehensive legislation to address the full spectrum of cybercrimes. Current laws fail to cover emerging threats like phishing and cyberstalking.  

Low levels of digital literacy and limited awareness of cyber threats exacerbate vulnerabilities, only 12% of individuals over 15 years of age in India have ICT skills, according to Centre For Economic and Social Studies (CESS).

Hackers/cybercriminals using AI to identify victims and exploit vulnerabilities.

Developers use encryption techniques to hide malicious code from detection tools. APKs remain dormant during installation, bypassing antivirus software scans.

Arrests occur for local operators, but the masterminds and developer/coders remain difficult to track.

Stolen funds move through layers of digital laundering, converted into cryptocurrency via temporary "mule accounts," making recovery impossible.

Fraudsters reuse same website or APK file with minor interface modifications (name, logo, URL), bypassing detection even after earlier versions are blacklisted.  

Fraudsters conduct digital surveillance, data leaked from sources like customer directories of malls/hospitals/service portals or Social Media details, allow criminals to customize their approach and craft convincing, urgent messages.  

Google or other intermediaries do not scrutinize every application hosted on their servers. Fraudsters exploit this by using mule accounts and shell identities.

Way Forward

Amend Existing Laws to align with evolving technological advancements and emerging threats. Enhance penalties for cybercrimes, clarify ambiguous sections, and ensure stronger enforcement mechanisms.

Digital Personal Data Protection Act, 2023, must ensure careful and transparent implementation, balancing innovation with the protection of fundamental rights.  

Invest in advanced tools and training for cyber forensics teams to improve their capabilities in detecting, preventing, and responding to cyber threats effectively.

Joining the Budapest Convention on Cybercrime, to align efforts with global standards and facilitate cross-border collaboration in addressing cyber threats.

Implement stronger regulations or cooperative frameworks that require platforms like Google to enhance scrutiny of applications hosted on their servers.

Develop more robust systems to detect use of temporary "mule accounts" and shell identities for laundering funds. RBI launched "MuleHunter.ai" tool to combat cyber fraud.

Educate citizens about the tactics of cyber fraud, the dangers of clicking suspicious links, installing apps from unknown sources, and verifying urgent messages.

Implement stricter measures to prevent data leaks from customer directories of malls, hospitals, and service portals, limiting fraudsters' ability to conduct targeted surveillance.

Develop systems that can quickly identify and blacklist variations of reused malicious website or APK files, rather than waiting for individual reports or blacklisting.

Government must strike a balance between strengthening cybersecurity measures for national security and defending the rights and privacy of citizens. 

Source: THE HINDU

PRACTICE QUESTION

Q. Analyze the role of technological gaps and public awareness deficits in exacerbating the problem of cyber fraud in India. 150 words

Frequently Asked Questions (FAQs)

India faced a massive surge in cybercrime in 2024, with financial losses skyrocketing to Rs 22,845.73 crore, a 206% increase from the previous year, and over 36 lakh financial fraud incidents reported.

Fraud occurs without your participation, where victims are unaware and haven't given authorization, while a scam relies on your involvement, where victims authorize transfers or provide information thinking the situation is genuine.

The DPDP Act, 2023, is India's first cross-sectoral legislation on data protection, requiring consent for processing personal data, granting consumers rights over their data, and imposing obligations on businesses

Related Articles

KARGIL WAR 28 Jul, 2025
TAYFUN BLOCK -4 24 Jul, 2025
JAVELIN 21 Jul, 2025
INS NISTAR 12 Jul, 2025
APACHE 07 Jul, 2025
DARKNET 05 Jul, 2025
INS UDAYGIRI 05 Jul, 2025
Let's Get In Touch!

Free access to e-paper and WhatsApp updates

Let's Get In Touch!