Introduction

With the rapid growth of digital transactions and online services, cyber scams have evolved, using more advanced techniques to deceive users. One recent scam sheds light on the extent of manipulation that scammers employ, using fake apps (malicious APKs) and social engineering tactics to steal money. This article will explain how this scam was executed, what vulnerabilities were exploited, and how users can protect themselves from such attacks.

Understanding the Scam: A Real-Life Case

In October, a traveler named Bhargavi Mani lost nearly Rs 1 lakh while trying to book lounge access at Bengaluru airport. The scam began when she received a message on WhatsApp from an international number, instructing her to download an app file in APK format (the type typically used for Android devices). This APK file appeared legitimate but was, in fact, malicious. After downloading it, she unknowingly granted the scammers control over her device.

What Happened Next?

The scammers tricked Ms. Mani into granting screen mirroring access during a video call, claiming to be customer service representatives. Once they had this access, they managed to initiate an unauthorized transaction of Rs 87,125 from her credit card to a PhonePe account. They attempted further transactions, but her credit card limit prevented these from going through.

To add to the complexity, Ms. Mani noticed that her friends and contacts couldn’t reach her phone, as calls were being redirected to someone else. This may have been due to call forwarding, which the scammers had enabled on her phone. This allowed the scammers to intercept calls, potentially gaining access to One-Time Passwords (OTPs) needed for further transactions.

How Do Cybercriminals Use Social Engineering and Fake Apps?

This scam relied heavily on social engineering—a tactic where scammers manipulate victims into trusting them. Here’s how the main elements worked:

1. Fake Website and App Download:
   • Ms. Mani was directed to download the APK from a website, “Loungepass.in,” which mimicked the look and feel of Loungepass.com, a legitimate airport lounge booking site. The fake website appeared among Google search results, demonstrating a gap in verification for top search engine listings.
   • With the APK downloaded, the scammers could remotely control certain features on her phone.
2. Screen Mirroring and Call Forwarding:
   • During a video call, Ms. Mani unknowingly enabled screen mirroring. This allowed the scammers to watch and control her screen in real time, which they used to initiate unauthorized transactions.
   • By activating call forwarding, the scammers diverted her incoming calls to their number. This trick effectively silenced her device and allowed them to intercept OTPs sent via calls or messages, granting even more access to her accounts.

How Do Fake Apps Work on iOS Devices?

While Apple’s iOS is known for strong security measures, this scam used a workaround. Typically, iOS prevents apps from being installed outside the official App Store, where Apple vets each app for security. However, there’s an exception: iOS allows users to enable a setting that permits the testing of unreleased apps. By guiding victims to activate this setting, scammers can bypass the App Store’s protections.

Financial and Data Implications in India

India has seen a worrying rise in cybercrime, especially in digital financial fraud. According to reports, cyber scams have led to significant financial losses:

• In 2023 alone, Rs 66.66 crore was lost across 4,850 cases of online scams.
• Over the last three years, digital financial frauds in India amounted to Rs 1.25 lakh crore.
• India ranked fifth globally in the number of breached accounts in 2023, with approximately 5.3 million accounts leaked.

These figures highlight the risks for online users in India, where cybercriminals have adopted increasingly sophisticated methods to access financial information.

Common Techniques Used in Cyber Scams

1. Phishing Websites:
   • Scammers often create websites that mimic legitimate sites. When users input personal details, such as passwords or payment information, these get transmitted to scammers.
2. Social Engineering:
   • This involves manipulation, such as pretending to be a customer service representative, to gain a user’s trust. Victims may then share sensitive information or grant permissions they wouldn’t usually provide.
3. Fake Apps and APKs:
   • APKs (Android Package Kits) are files used to install applications on Android devices. Malicious APKs can install malware, enabling scammers to control devices, access data, and make unauthorized transactions.
4. Call Forwarding and OTP Interception:
   • By enabling call forwarding, scammers can receive all incoming calls, including OTPs for bank transactions. This allows them to bypass security steps meant to protect user accounts.

How to Protect Yourself from Cyber Scams

To avoid falling victim to cyber scams, it’s essential to stay alert and follow these precautions:

1. Avoid Downloading Apps from Unverified Sources:
   • Only download apps from official app stores (like Google Play or Apple’s App Store) where security checks are more stringent. APKs from unknown sources may contain malicious code.
2. Beware of Phishing Websites:
   • Be cautious when clicking on links sent via SMS, email, or social media, even if they appear legitimate. If in doubt, search for the official website independently.
3. Do Not Grant Remote Access or Screen Mirroring:
   • Avoid granting screen sharing or remote access unless you are certain of the person’s identity. Scammers often use these permissions to control your device.
4. Regularly Monitor Financial Statements:
   • Check your bank and credit card statements frequently for any unauthorized transactions. Early detection can help you take quick action.
5. Protect Personal Data:
   • Avoid sharing sensitive information over the phone or through text messages. Cybercriminals use various methods to impersonate customer service representatives to extract this information.
6. Strengthen Security with Regular Password Changes:
   • Use unique passwords for each account, change them regularly, and consider using a password manager to keep track of them securely.

Final Thoughts

This case involving Bhargavi Mani highlights the complexity and reach of modern cyber scams. Scammers today use a mix of psychological manipulation and technical tricks to bypass device security and gain control over users’ personal information and finances. The best defense is vigilance, combined with a cautious approach to any unsolicited messages, downloads, or permissions on your device.

Digital financial fraud is a growing issue, and it’s up to users to educate themselves and adopt safety measures to stay safe in an increasingly connected world. Remember, if something feels off, it probably is. Always double-check links, apps, and permissions before proceeding.