Two weeks ago, a man from Kerala’s Nedumbassery received a message on his phone. It appeared to be from his bank, a routine SMS with a link for a mobile banking update. He had recently withdrawn Rs 4 lakh from his Provident Fund to cover two major expenses: his wife’s upcoming delivery and the construction of their new home. Trusting the message, he clicked on the link, downloaded the app, and entered his credentials, just like he had done many times before.
However, within minutes, his phone got two alerts: one transaction of Rs 1.9 lakh, another of Rs 2.1 lakh, both listed as purchases. Shocked, he rushed to the Ernakulam Rural Cyber Police. They confirmed his worst fear: the app he downloaded from the link was fake, laced with a screen-sharing tool. As he typed in his login details, scammers were watching in real time, taking full control of his bank account.
This isn’t an isolated incident. A growing number of unsuspecting users are falling prey to counterfeit banking applications –– fake versions of real apps that are designed to steal sensitive financial and personal data. Indianexpress.com spoke to cyber experts to understand how these apps operate and what users can do to stay safe.
What are counterfeit banking applications?
“Counterfeit banking apps are fake versions of real banking apps, created by cybercriminals to scam people. These replicate the original, the name may sound similar, but often includes a slight change in a letter, making it difficult for users to spot the difference at first glance,” said Navkar Jain, co-founder, Plus91Labs. “To increase visibility, attackers optimise the description of the counterfeit app using keywords that people typically search for when looking for the legitimate version,” he said.
“These apps are designed to steal financial data by impersonating legitimate banking platforms. Their UIs look real enough to trick users into sharing confidential information,” Ankit Dev Arpan, cyber lawyer and director, Lex Cyber Attorneys, told indianexpress.com.
“Some apps even make it past the security checks of major app stores like Google Play and the Apple App Store,” said Neehar Pathare, MD of 63SATS Cybertech. “This is often done by obfuscating code, delaying malicious activity, or uploading a clean version first, and pushing harmful updates later,” he said.
How do these malicious applications bypass app store checks:
Gradual transformation: Apps start as legitimate-looking tools to pass approval checks. Malicious updates are introduced later.
Story continues below this ad
Deceptive user interface: Fake apps use realistic interfaces to appear trustworthy to both users and app store reviewers, only to later commit cybercrimes.
Miniature versions and third-party redirection: A basic app is uploaded initially but redirects users to third-party websites to download the full malicious version.
Direct distribution: Fraudsters send APK files or shady links via social media, ads, or messaging platforms, bypassing app stores entirely.
How to spot fake banking apps:
Story continues below this ad
Jain, Pathare and Arpan shared tips on how to spot these fake banking applications:
📌Download only from trusted sources: Always use your official website of the bank for links to the apps or QR codes.
📌Double-check app store details: Look at the upload date, download count, and also user reviews. Be cautious if a new app claims millions of downloads.
📌Watch for fake websites: Some fake sites rank high in search results due to paid ads. Don’t trust blindly.
📌Read app permissions carefully: Real banking apps ask only for what’s needed, like camera or location. Fake ones may demand access to contacts, gallery, or screen reading.
📌Look closely at the developer info: Check if the email domain and website link are official. Fake ones often have spelling errors.
📌Enable two-factor authentication: Add extra layer of security and protect your accounts, via two-factor authentication.
📌Don’t ignore spelling errors: Slight changes in app names, website URLs, or emails can mean it’s a fake.
📌Be cautious with direct APK files: Never install banking apps sent via social media, ads, or messaging apps.
📌Beware of too-good-to-be-true reviews: Fake apps often show only positive, generic reviews or have unusually high ratings.
📌Avoid apps with recent release dates: A new app with millions of downloads can likely be a scam.
“Counterfeit apps are designed to extract private information like login credentials, card details, PAN, and even biometric data,” said Jain, adding, “With access to SMS, these apps can read OTPs and steal transaction alerts too.”
“Scammers are creative,” said Arpan. “Sometimes it’s a simple KYC alert or account warning; other times, it’s a tempting offer, like an instant loan or a QR code promising a Rs 100 reward. But once the app is installed, it silently observes, collects data, and in some cases, gives scammers full control of your device,” he said.
Story continues below this ad
Immediate actions to take if counterfeit banking application is installed:
Uninstall the app immediately: Don’t wait, remove the suspicious app and clear its data from your phone.
Turn the internet connection off: Disable Wi-Fi and mobile data right away to stop the app from sending or receiving more information.
Run a malware scan: Use a trusted antivirus or anti-malware app to scan your device and remove any hidden threats.
Change all banking credentials: Update passwords, UPI PINs, and any linked email or app login details to block further misuse.
Contact your bank quickly: Inform them about the fraud, freeze your account if needed, and get recent transactions reviewed.
Story continues below this ad
Report to cybercrime helpline: File a complaint at cybercrime.gov.in or dial 1930 to report the incident.
Use kiosk scanners if available: In India, public device scanning kiosks, like those by National Forensic Sciences University (NFSU) Gandhinagar, can help detect deeper threats.
Factory reset, as a last resort: If malware persists, back up important data safely (without connecting to other devices) and reset your phone.
What is India doing to combat such scams?
According to Jain, “India is taking serious steps to combat these frauds and on the legal front, law enforcement agencies and cybercrime units are becoming increasingly proactive in tracking digital footprints, arresting fraudsters, and coordinating with banks and telecommunication companies.”
Story continues below this ad
Pathare said, “App stores are improving fraud-app detection mechanisms. Banks are adopting sophisticated security features like multi-factor authentication and fraud detection systems to secure customer information. Awareness campaigns are also helping educate users.”
“India’s cybercrime response is backed by laws like the IT Act, 2000, the Bharatiya Nyaya Sanhita (BNS), and the Digital Personal Data Protection (DPDP) Act,” said Arpan. “The National Cyber Crime Reporting Portal and helpline 1930 simplify reporting, while initiatives like Cyber Dost and institutions like NFSU boost public awareness and expertise.”
Arpan also stressed the need for stricter app store vetting, deeper rural outreach, and hiring trained cyber and legal experts. He also suggested a national portal to flag and disable fake apps in real time.
As digital banking becomes part of daily life, these scams serve as a reminder that a single careless click can cost someone their life’s savings, making vigilance not just a habit, but a necessity.
The Safe Side:
Story continues below this ad
As the world evolves, the digital landscape does too, bringing new opportunities – and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.