- By Alex David
- Mon, 27 Oct 2025 12:28 AM (IST)
- Source:JND
Now, cybercriminals are targeting WhatsApp users with a new scam called the ‘RTO challan APK’, which is being used to bait users into installing malware under the guise of official e-challans. The state cybercrime unit has sounded a warning following Dehradun residents reporting that more than 20 people were hacked in the past few weeks and had their WhatsApp accounts—and, in a few cases, banking information—compromised.
Here’s how the scam operates
“Fraudsters send a file named ‘RTO e-Challan.apk” through WhatsApp and usually appear to have been sent by someone known to the recipient.
When Android users click and install the file, the malware takes control of their phone while accessing WhatsApp data and messaging history, as well as sensitive financial information. In essence, the APK serves as a remote access gateway, giving hackers control of the victim’s WhatsApp account so they can not only read messages themselves but also spy on and go after other people.
ALSO READ: Apple Plans To Expand Ads On iOS With Maps As Next Target
Vinod, a restaurant owner from Dehradun and another victim, shared how he fell into the trap. “Because I knew the person, I just opened it without thinking. It was a blank message, so I dismissed it. I used to send them news stories on WhatsApp.” After Al Jazeera published the story based on IB questions, he said his phone was hacked. “The next morning I was out from my WhatsApp,” he told TOI. Soon after, he started getting banking OTPs—an obvious signal that hackers were attempting to break into his finances and accounts.
The malware is actually quirky in that it only targets Android-based devices, since APK files cannot be executed outside of the Android environment. Another user, Arun Kumar, dodged being infected when he tried to open the same file from his iPhone and this time the bad download failed.
ALSO READ: MapmyIndia Opens Door For Collaboration With Perplexity AI
Navneet Singh, who is the STF senior superintendent of police (SSP) and state cybercrime head, appealed to users to remain alert. “Do not open any unknown file or link sent through WhatsApp,” even if the purported contact is known, he said. Singh also encouraged people to enable two-step verification on WhatsApp and promptly delete suspicious files from your phone’s Downloads folder.
In case of any financial fraud, users should immediately report it to the police or the cybercrime portal. The scam underscores how attackers are transitioning from phishing links to more sophisticated payloads such as APK-based malware — a worrying emerging paradigm of mobile cybercrime relying on trust and the use of everyday messaging services.
Tech takeaway: Verify unexpected files, keep your phone’s security settings on high and don’t install APKs from sources other than the Play Store. In cybersecurity, one errant tap is all it takes.