A joint operation by the Cyber Crime Police Station and Katghar Police in Uttar Pradesh’s Moradabad has uncovered an alleged interstate cyber fraud network operating through malicious Android application files.
Police arrested three individuals accused of running the operation from a rented house in Bhainsiya village under the Katghar police station area.
During preliminary questioning, the suspects allegedly disclosed involvement in cyber fraud transactions estimated at between ₹60 lakh and ₹70 lakh.
The investigation remains ongoing, and the allegations against the accused are subject to judicial determination.
Technical Surveillance Led Police to Rented House
The police operation began after investigators analysed suspicious mobile numbers identified through:
- The Pratibimb Portal
- The National Cyber Crime Reporting Portal
- Technical surveillance
- Digital communication records
Based on the information collected, officers traced the suspected activity to rented accommodation in Bhainsiya village.
Police allege that the premises was being used as an operational base for sending malicious messages, handling compromised mobile devices and conducting unauthorised financial transactions.
Three Accused Arrested
The arrested individuals were identified by police as:
- Guddu Ansari, a resident of Jamtara district
- Rafiq Ansari, a resident of Jamtara district
- Karim Ansari, a resident of Dumka district
Investigators are examining whether the accused were part of a larger cybercrime network operating across state boundaries.
The Jamtara and Dumka regions have previously appeared in investigations involving phishing, mobile banking fraud and social engineering networks. However, the liability of the present accused must be determined independently on the evidence collected in this case.
Sixteen Complaints Reportedly Linked to Accused
According to police, at least 16 complaints involving the arrested individuals had already been recorded on the National Cyber Crime Reporting Portal.
Investigators are comparing these complaints with:
- Phone numbers recovered during the raid
- Bank accounts allegedly used by the network
- SIM card activation records
- Device identifiers
- Transaction histories
- Digital communication logs
This analysis may help establish the number of victims and the total amount allegedly siphoned through the operation.
Woman Accused of Providing Accommodation
Police have also registered a case against a woman who allegedly provided accommodation to the suspects.
She was reportedly absconding at the time of the police statement, and efforts were underway to locate her.
Investigators are examining whether she merely rented the premises or had knowledge of, or involvement in, the alleged cybercrime activities.
Her role remains subject to investigation.
Fraudulent Messages Used Multiple Themes
According to investigators, the alleged network sent deceptive messages through:
- Telegram
- SMS
The messages were designed to appear connected with commonly trusted services and everyday concerns.
They allegedly referred to:
- Bank KYC updates
- Pending electricity bills
- Courier deliveries
- Government welfare schemes
- Traffic challans
- Wedding invitations
Each message attempted to persuade the recipient to download an attached or linked Android application file.
What Is an APK File?
APK stands for Android Package Kit. It is the file format used to install applications on Android devices.
Applications downloaded from official app stores generally undergo security screening. However, APK files received directly through messages, emails or unknown websites may bypass those safeguards.
A malicious APK may be designed to obtain access to:
- SMS messages
- Contacts
- Notifications
- Screen activity
- Accessibility services
- Banking applications
- Stored files
- Device controls
Users may grant these permissions without understanding their consequences because the application appears to serve a legitimate purpose.
Malware Allegedly Took Control of Victims’ Phones
Police allege that once victims installed the APK files, malware infected their smartphones and enabled the suspects to access sensitive information.
The malicious application may have allowed criminals to:
- Read incoming OTPs
- Monitor banking notifications
- Capture login credentials
- View screen activity
- Control certain device functions
- Initiate unauthorised transactions
Investigators are conducting technical examinations to determine the specific capabilities of the malware allegedly used in the operation.
Banking Credentials Allegedly Stolen
After obtaining access to a victim’s phone, the network allegedly attempted to steal:
- Mobile banking usernames
- Account passwords
- Debit card information
- OTPs
- UPI credentials
- Other authentication details
The stolen data was then allegedly used to conduct unauthorised financial transactions.
Police are tracing the destination accounts to determine whether mule accounts, payment wallets or cryptocurrency channels were used to move the funds.
Devices and Documents Seized
During the raid, police reportedly recovered:
- Seven mobile phones
- Four pen drives
- Twenty-three activated SIM cards
- Ten new SIM cards
- Ten ATM and smart cards
- Eleven suspected forged Aadhaar cards
- Seven PAN cards
- ₹25,000 in cash
The seized material has been sent for forensic analysis.
Investigators are examining whether the identity documents were genuine, altered, stolen or created using false information.
Multiple SIM Cards Under Examination
The large number of SIM cards recovered may help investigators establish how the alleged network operated.
Police may examine:
- Subscriber identity records
- KYC documents used for activation
- Call detail records
- Internet data sessions
- Device-location histories
- Links to cybercrime complaints
Cybercriminals frequently rotate SIM cards and mobile numbers to avoid detection after victims report fraudulent messages.
Forged Identity Documents May Reveal Wider Network
The recovery of suspected forged Aadhaar and PAN cards has expanded the scope of the investigation.
Authorities are examining whether the documents were allegedly used for:
- SIM card activation
- Opening bank accounts
- Creating payment wallets
- Renting accommodation
- Registering online accounts
- Concealing the identities of operators
The source of these documents and the involvement of any additional facilitators are also under investigation.
Digital Forensics to Determine Full Scale
Forensic experts are expected to analyse the seized mobile phones and storage devices for:
- Malware files
- Victim databases
- Call records
- Fraud scripts
- Bank account details
- Messaging histories
- Deleted files
- Remote access tools
- Cryptocurrency wallet information
The findings may reveal whether the accused were creating the malicious applications themselves or receiving them from a separate technical operator.
Why APK-Based Fraud Is Effective
Cybercrime expert and former IPS officer Prof. Triveni Singh has warned that APK-based attacks remain particularly effective because they combine malware with social engineering.
Victims are more likely to install an application when the message appears to involve an urgent or familiar issue, such as:
- An electricity disconnection warning
- Expired bank KYC
- An undelivered parcel
- A pending traffic fine
- A government benefit
- A wedding invitation
The criminal relies on urgency and trust to make the user bypass normal security precautions.
Never Install APK Files Received Through Messages
Users should not install APK files received through:
- Telegram
- SMS
- Social media
- Unknown websites
Applications should be installed only through official app stores or verified sources provided directly by the legitimate organisation.
Banks, electricity departments, courier companies and government agencies generally do not require customers to install applications through unsolicited message attachments.
Warning Signs of a Malicious Application
Users should immediately become suspicious when an application requests access to:
- Accessibility settings
- SMS messages
- Screen sharing
- Device administration
- Contacts
- Notifications
- Banking applications
A utility, wedding invitation, courier or KYC application normally has no legitimate reason to request extensive control over a smartphone.
What Victims Should Do
A person who has installed a suspicious APK should:
- Disconnect the phone from mobile data and Wi-Fi.
- Avoid carrying out further banking transactions on the device.
- Contact the bank through its official channel.
- Change banking and email passwords from a clean device.
- Review recent transactions.
- Uninstall the suspicious application.
- Report the incident through the national cybercrime reporting system.
- Call the cyber fraud helpline 1930 promptly.
Rapid reporting may improve the possibility of freezing funds before they are moved through multiple accounts.
Investigation Into Financial Trail Continues
Police are examining:
- Bank accounts linked to the accused
- ATM and smart cards recovered during the raid
- Call detail records
- Digital devices
- Cash withdrawals
- UPI transactions
- Possible mule accounts
- Links with other associates
Investigators are also trying to determine whether the suspects received technical support, victim data or malicious APK files from other members of the alleged network.
Further Arrests Possible
Officials stated that additional arrests and legal action cannot be ruled out as forensic and financial evidence is analysed.
The investigation is focused on identifying:
- Malware developers
- Account providers
- SIM card suppliers
- Mule account holders
- Network coordinators
- Final beneficiaries
The total value of the alleged fraud may also change as additional complaints and transaction records are verified.
Shunyatax Global Insight
Shunyatax Global says that APK fraud succeeds because users are persuaded to treat an unknown application as an official communication. Banks, businesses and government departments should repeatedly inform customers that legitimate updates, bills and verification processes do not require installing files received through private messages. Individuals should restrict application downloads to official stores, review app permissions carefully and immediately report suspicious transactions before the money is layered through mule accounts.