Fake APK Scams on WhatsApp: Do Not Install That App

April 28, 2026 · Anuranjan Vikas · 4 min read

apkmalwarewhatsappphishingguide

A WhatsApp or SMS message asking you to install an APK file is high risk. Do not install apps sent as attachments or links by strangers, fake customer support agents, delivery messages, KYC warnings, loan offers, or people claiming to be from the government or bank. Use only official app stores and the official website of the service.

Fake APK scams are dangerous because the scammer is not just trying to make you click. They are trying to put software on your phone.

What is an APK?

APK stands for Android Package Kit. It is the file format used to install Android apps.

Installing from Google Play or another trusted app store is normal. Installing an APK from a random WhatsApp message, SMS link, Telegram channel, or website is risky.

On many phones, the scammer will guide you to allow “install unknown apps.” That warning exists for a reason.

Common fake APK stories

Scammers may say the APK is:

Bank KYC update app
Courier tracking app
Electricity bill correction app
Loan approval app
Credit card limit increase app
Government subsidy app
Police verification app
Remote support app
Trading or investment app
Job task app
Cashback or rewards app

The story changes. The instruction stays the same: install this file.

Why fake APKs are dangerous

Depending on the malware, a fake app may try to:

Read SMS messages and OTPs
Capture notifications
Overlay fake login screens
Steal contacts
Record screen activity
Forward messages
Take accessibility permissions
Control parts of the phone
Hide itself after installation

Not every APK has all of these powers, but you cannot safely judge that from the file name or icon.

Red flags

Do not install if:

The file came through WhatsApp, SMS, Telegram, email, or social media
The app is not on the official app store
The person says it is urgent
The app asks for accessibility access, SMS access, notification access, or screen recording
The installer asks you to disable security settings
The app name is close to a bank, courier, or government service but not exact
You were already worried about KYC, refund, parcel, loan, or police action

Banks, couriers, and government services do not need random APK files sent over chat to help you.

If you installed a suspicious APK

Do this quickly:

Turn on airplane mode or disconnect mobile data and Wi-Fi.
Do not open banking or UPI apps yet.
Uninstall the suspicious app if you can.
Remove unknown apps from accessibility, notification, SMS, and device admin permissions.
Restart the phone.
From another trusted device, change passwords for important accounts.
Call your bank if banking, card, UPI, or OTP details may be exposed.
If money moved, call 1930 and report at cybercrime.gov.in.

If the app will not uninstall or keeps returning, get help from a phone service center or trusted security professional. Do not keep using the phone for banking until it is clean.

What permissions to check

On Android, review:

Installed apps
Device admin apps
Accessibility
Notification access
SMS permissions
Display over other apps
Install unknown apps
VPN profiles
Battery optimization exceptions

Permission names vary by phone brand, but these are the high-risk areas.

If the APK came from a scam message

Save the message and link. If no money was lost, report the suspected fraud communication or malicious web link through Sanchar Saathi Chakshu.

If money was lost, call 1930 and use cybercrime.gov.in.

How Kaval can help

Send the message, APK name, link, screenshot, or app-permission screen to Kaval. Kaval can help identify the scam pattern and give a cleanup checklist.

Related guides:

Quick answer

Do not install APK files sent through WhatsApp, SMS, Telegram, or email. If you already installed one, disconnect the phone, remove the app and risky permissions, change passwords from another device, call your bank if money is involved, and report financial fraud through 1930 and cybercrime.gov.in.