close
close

‘If You Don’t Update KYC, Your Bank Account Will Be Blocked’: New APK Scam Could Cost You Lakhs, How To Prevent It

Posted on by darion

In a recent public notice, Punjab and Sind Bank (PSB) has warned its customers about an ongoing scam in the name of the bank. The bank said that it is important for you to be aware of the scam to protect your money from fraudsters. This scam (APK scam) starts with you receiving a fake message purporting to be from the bank stating that your bank account will be blocked due to KYC update. However, in reality, the bank never sent such a message and your KYC will not expire.

“They ask customers to download malware-laden APK files to steal accounts and personal information,” Punjab and Sind Bank said in the notice.

How exactly does the scam happen? And what false narratives do scammers create to lure you into following their call to action? Read on to learn more about it and stay vigilant.

How APK Fraud Occurs

APK scam is done in three steps:
Step 1: Creating a false narrative to create panic
Step 2: Force you to download and install a malicious APK file
Step 3: Take fraudulent actions such as installing a keylogger (a keylogger can track every key pressed on a mobile phone keyboard), launching a ransomware attack, or accessing the clipboard.

Step 1: False Narrative
According to Kaushik Ray, COO, Whizhack Technologies, the fraudsters first send an SMS that looks like an SMS from a bank — the tone and language of such fraudulent SMSes are very similar to real bank messages. This SMS carries a fake narrative about a blocked bank account or UPI activity or others due to pending KYC updates or other reasons. “These narratives play on the desires or fears of users, effectively bypassing rational judgment and exploiting gaps in digital literacy,” says Ray.

“The goal of such narratives is to create panic and then trick people into installing malicious APK files on their mobile devices. These are social engineering tactics. APK scams often work through a combination of social engineering and user disinformation. Cybercriminals typically use persuasive narratives that create a sense of urgency or offer a unique benefit to convince users to download the APK,” he explains further.

For example: The scam SMS may state that if you do not click on the link to download the APK file, your bank account will be frozen as its KYC status is pending or has expired, etc.

Another possible version is that the fraudulent SMS may inform you that your loyalty points will expire soon, so you need to download the file to use them, otherwise the accumulated points will be lost.

Ray says that sometimes the narrative may not be exploiting fear, but rather greed. “For example, they might advertise an APK as a way to access a popular feature that isn’t yet available to others, or an app that provides free services that would usually require payment,” he says.

In most cases, these narratives work in the fraudster’s favor because people are naturally programmed to be concerned about the safety of their assets, which in this case is the money stored in the bank. Imagine someone posing as a bank employee informing you that all the money you have stored in the bank will be frozen indefinitely if you don’t do something about it immediately. One of the first things that will pop into your head is how you will pay your children’s school fees, how you will buy vegetables for dinner tonight, or even how you will do DTH or recharge your mobile phone. A bank account drives our daily lives in unimaginable ways and freezing it would mean cutting yourself off from life’s activities.

Step 2: Installing the Malicious APK File

Once the scammers convince you with their stories, they tell you to install malicious APKs. “Once installed, the hacker receives a connection on their hacker device, which allows the hacker access and control over the infected mobile device to facilitate malicious activities,” Ray says.

Step 3: Launching a cyberscam attack

Ray reports that once a hacker takes control of your device, they can launch a number of attacks, including ransomware. If you become the target of a ransomware attack, your mobile device will be locked and the hacker will not release the lock until you pay the ransom demanded. The hacker may also threaten to leak private and confidential documents, photos, and more online if you do not pay the ransom.

Ray further says that some hackers may not use ransomware against you, but instead install keyloggers to learn your net banking ID and password, UPI PIN, or others. “One of the common malware functionalities that comes from fake APKs could be keyloggers and clipboard access. A keylogger records all keystrokes made on a device, which can capture everything from passwords to credit card numbers. Similarly, by accessing the clipboard, the malware can read any copied data, such as passwords and account numbers. This data can then be used to hack into net banking or UPI accounts, leading to financial theft or identity fraud,” he says.

Punjab and Sind Bank Alert

Source: Punjab and Sind Bank website as of August 2, 2024

How to prevent APK scams

As per the public notice issued by Punjab and Sind Bank, here is what you should do:

  • Never download files received from strangers,
  • Never click on unknown links
  • Block and report suspicious contacts
  • Do not share your personal information with anyone on the Internet.

According to Ray, the APK scam specifically targets Android devices since APK is the file format used by Android.

“iOS devices use a different format called IPA (iOS App Store Package) and have a closed ecosystem that generally does not allow for the installation of apps from third-party sources without jailbreaking the device. This does not mean that iOS devices are immune to similar scams; they simply do not use APK files. iOS users can still be targeted through other means, such as phishing or malicious profiles and apps installed via the use of enterprise certificates or sideloading techniques,” he says.