Ahmedabad, June 25 (IANS) The Ahmedabad Cyber Crime Branch on Thursday arrested three alleged members of a Jharkhand-based cyber fraud network accused of creating and distributing malicious Android application package (APK) files that allowed criminals across the country to gain unauthorised access to mobile phones and steal money from bank accounts.
The arrests include the alleged developer of the APK files, Purnanand alias Mukesh Tiwari, 28, of Giridih district in Jharkhand, who was apprehended from a moving train with the assistance of the Railway Protection Force near Kishanganj.
Two other accused, identified as Vikas Das, 33, and Sitaram Nakul Mandal, 26, were also arrested.
The case was investigated under the supervision of senior officials after Naresh Sabnani, a resident of the Hansol area in Ahmedabad, lodged a complaint.
According to police, Sabnani received a WhatsApp message purportedly from Sabarmati Gas Limited warning that his gas connection would be disconnected unless a pending bill was updated.
The message directed him to contact a supposed bill update officer and download an application named “Sabarmati Gas Bill Update.apk”.
Police said the complainant downloaded the APK file and subsequently lost Rs 6,68,914 from his HDFC Bank account through a series of fraudulent transactions.
Upon the said incident, the complainant registered a complaint with the 1930 Cyber Helpline and the Cyber Crime Police Station.
The complaint was registered under Sections 319(2), 318(4), 61(2)(A), and 54 of the Bharatiya Nyaya Sanhita, 2023, and Sections 66(C), 66(D), 43, and 66 of the Information Technology Act.
Addressing a press conference, Dr Sinha said: “After downloading the APK file, the complainant’s phone was hacked, and Rs 6.68 lakh was withdrawn from his account. During the investigation, we achieved significant success by arresting one of the main accused, who developed the APK file. Along with him, two other accused were also arrested. All three are from the Giridih-Jamtara belt of Jharkhand.”
Investigators said technical analysis and intelligence gathering led them to Tiwari, who allegedly developed malicious APK files and operated a Telegram bot through which the software was marketed and distributed to cyber criminals.
“The main accused had developed APK files and Telegram bots. We have exposed the misuse of these bots during the investigation,” Sinha said.
Police said the Telegram bot contained options including “Download APK File”, “Replace APK”, “View My APKs”, “Purchase New APKs” and “Renew Existing APKs”.
Users could purchase templates impersonating services such as SBI KYC, SBI Rewards, Bank of India, Bank of Baroda, Indian Overseas Bank, Union Bank, Yes Bank, Central Bank of India, City Union Bank, Axis Bank, Federal Bank, IndusInd Bank, Saraswat Bank, RTO e-challans, BSES bill updates and Mahavitran electricity services.
According to investigators, Tiwari had created APK files impersonating at least 18 banks. Police also recovered APK files linked to customer support services, RTO e-challan systems and other entities from devices seized during the investigation.
“He sold these APK files for Rs 12,000 per month. On average, he had between 300 and 400 clients every month. Through these subscriptions, he was earning approximately Rs 40 lakh to Rs 50 lakh per month,” Sinha said.
Police said Vikas Das acted as a supplier who distributed the APK files to buyers. He allegedly received payments through SBI’s YONO Cash facility, allowing cardless ATM withdrawals.
Investigators found that purchasers shared YONO Cash details, including OTPs and transaction codes, after which cash was withdrawn from SBI ATMs.
“Vikas Das would withdraw the money, keep a commission of Rs 3,000 and personally hand over the remaining amount to Purnanand Tiwari in Mumbai,” Sinha said.
Investigators said Sitaram Mandal supplied APK files to other fraudsters and arranged debit and credit card details used for receiving and moving fraud proceeds.
Police also uncovered what they described as a new misuse of SBI’s YONO Cash service. “The fraudsters exploited the YONO Cash facility, which allows ATM withdrawals without a physical card. Even if an account belonged to someone in Assam or Guwahati, money could be withdrawn in Surat. We arrested the accused when they came for such withdrawals,” Sinha said.
According to investigators, all three accused belonged to the same region and knew each other personally. Tiwari allegedly began developing APK fraud tools in August 2025 after previously being involved in electricity bill scams.
Police said he had earlier been arrested twice in cybercrime cases related to electricity bill fraud. “The main accused was earlier involved in electricity bill scams in the Jamtara belt and had been arrested twice. The APK fraud operation began in 2025,” Sinha said.
Investigators said Das and Mandal also had criminal records. Before becoming involved in APK-based frauds, they allegedly participated in OTP fraud operations.
Police said Mandal previously worked as a caller who contacted victims and obtained OTPs through deception. “All three have a history linked to cyber fraud. Before entering APK fraud, the other accused were involved in OTP fraud,” Sinha said.
According to police records, Das is wanted in two cybercrime cases registered in Prayagraj, Uttar Pradesh, while Tiwari and Mandal have been named in multiple cybercrime cases registered in Giridih district, Jharkhand, involving cheating, forgery, criminal conspiracy, and offences under the Information Technology Act.
Investigators said the malicious applications were disguised as legitimate services, including gas bill updates, bank KYC verification, credit card applications, customer support systems, electricity bill services, government schemes, e-challans and even wedding invitations.
“An APK file can appear in the name of a wedding invitation, an RTO notice, a bank service or any other trusted service. The identifying feature is the ‘.apk’ extension. If such a file is received through WhatsApp, social media or text messages from an unknown source, it should never be downloaded,” Sinha said.
Police said that once installed, the applications gained unauthorised access to SMS messages, contacts, call logs, notifications and banking credentials.
The software enabled fraudsters to intercept OTPs, obtain user IDs and passwords, remotely monitor devices and conduct unauthorised banking transactions. Investigators also found that the APK files could spread automatically from one victim to another.
“After a device was compromised, the APK file was forwarded to all WhatsApp and Telegram groups associated with that user. If another recipient downloaded it, the same process repeated. It functioned like a chain reaction and could reach thousands of people within a short period,” Sinha said.
During the investigation, police recovered APK files impersonating Bank of India, DBS India, customer support services and other organisations, along with information relating to domains, servers, email accounts and technical infrastructure allegedly used to operate the fraud network.
The main accused was arrested while travelling from Kolkata towards Kishanganj after allegedly learning that police teams had reached Mumbai in search of him.
“When our team reached Mumbai, he became aware of the operation and fled towards Kolkata. With assistance from the Railway Protection Force, he was identified by a tattoo on his hand and arrested from a moving train. No cash was recovered, but devices containing crucial evidence were seized,” Sinha said.
Ahmedabad Cyber Crime Branch has so far linked the gang to 12 complaints registered through the National Cyber Crime Reporting Portal and five FIRs registered in Ahmedabad.
The complaints involve alleged fraud amounting to nearly Rs 70 lakh. Individual complaints identified during the investigation involve losses ranging from approximately Rs 5.19 lakh to Rs 15 lakh.
Sinha said investigators believe the gang’s APK files were used in cyber frauds across multiple states and that efforts are continuing to determine the full scale of the operation.
“We cannot say that this is the only mastermind behind APK fraud in the country, but he is one of the masterminds. His arrest will have an impact and help raise awareness of APK fraud. This is the first time these accused have been arrested specifically in connection with APK-based fraud,” she said.
She urged the public to install applications only from official app stores, avoid downloading APK files from unknown sources, never share OTPs or banking credentials, and immediately contact the cybercrime helpline or report the matter to the nearest police station if a suspicious APK file has been downloaded.
“Even if an APK file has been downloaded by mistake, people should immediately report it by calling 1930 or approaching the nearest police station,” Sinha added.
–IANS
mys/dan