How cybercriminals use social engineering and malicious APKs to scam users | Explained  

The story so far: In mid-October, traveller Bhargavii Mani claimed that she lost close to ₹1 lakh while trying to book lounge access at the Bengaluru airport. The scam was allegedly executed after Mani was asked to download an APK (Android Package format) file that looked like a regular app, shared via a WhatsApp chat originating from an international number.

The malicious APK was able to function after she clicked on the link and granted screen mirroring access to a supposed customer care adviser during a video call.

When checking her credit card statement later, Mani noticed an unauthorised transaction of ₹87,125 to a PhonePe account. Additional transactions were also attempted but were denied due to the card reaching its spending limit.    

Mani also claimed her contacts were unable to reach her, and that a man was answering her calls. This could have been due to malicious call forwarding on her device.    

How do cybercriminals use Big Tech platforms? 

Mani said she was asked to download the malicious app from a fake website, which no longer exists. The URL presented to her was “Loungepass.in,” the link to which was shared through a WhatsApp business account. The phone registered to the account had an international number.

Mani claimed this fake website was one of the top results on Google, pointing to gaps in the verification process when big businesses are listed in search results.

Loungepass.com is a genuine website that allows users to pre-book airport lounge access at major airports. In Mani’s case, social engineering tactics were employed to lure her to the fake site; a method commonly used by threat actors.   

However, it is important to note that Apple’s iOS is designed to prevent apps from being downloaded or installed directly from a link that bypasses the official Apple App Store, which enforces strict security protocols. 

This is where the technical prowess of the scam comes into play.   

How did the malicious APK work? 

The only way to download an app on an iOS device is through the official Apple App Store. Apps in the store are verified by Apple and regularly checked for malicious code to ensure user security.  

However, users can download and test unreleased apps on their devices by enabling a hidden setting within iOS.  This feature allows users to test beta or unreleased versions of apps from developers.

“Apple’s Swift SDK also allows screen sharing (both in-app and in the background)”, explained cybersecurity researcher Vishesh Kochher.  

Scammers can use social engineering techniques to enable this setting and allow people to download malicious apps that appear to be legitimate.

In Mani’s case, once the malicious APK accessed her device, scammers likely enabled call forwarding.

For example, this can be done on Airtel’s network by dialling a code, followed by the phone number to which calls should be forwarded, Kochher explained.  

With call forwarding enabled, scammers can easily receive OTPs for transactions via phone banking.  

Kochher further says that an app could be used on iOS to initiate phone calls. With calls forwarded to the scammers’ number and outgoing calls controlled by the app, scammers could complete transactions without the user’s knowledge.  

“The technical sophistication of the app used in this scam appears similar to those used by online loan sharks, which access messages, photos, and stored information,” Kochher explained.  

Who was behind the scam? 

The website used to lure Mani into downloading the malicious app has been taken down.

A simple search for the registered domain name shows the website, hosted by Hostinger, was registered in Gujarat, India.  

However, further details about the individuals behind the website—such as their phone number, address, and organisation—were redacted from the registry. Investigators can request this information.  

How bad is the cybercrime situation in India? 

In 2023, Indian citizens lost ₹66.66 crore in 4,850 reported cases of online scams.

A report by the Indian Cybercrime Coordination Centre (I4C) revealed that digital financial frauds amounted to a staggering ₹1.25 lakh crore over the last three years.  

According to the National Cybercrime Reporting Portal (NCRP), at least ₹10,319 crore was reported lost by victims of digital financial fraud in 2023.  

Additionally, 5,252 suspect URLs have been reported so far.

The Parliamentary Standing Committee on Finance’s report on ‘Cybersecurity and Rising Incidents of Cyber/White Collar Crimes‘ noted that domestic fraud reported by Supervising Entities (SE) in FY23 totalled ₹2,537.35 crore.  

The use of sophisticated technical knowledge, coupled with social engineering techniques and a rise in data leaks, exacerbates the problem.  

India ranked fifth globally in the number of breached accounts in 2023, with 5.3 million leaked accounts. Scams enabled by social engineering and technical expertise are unlikely to disappear anytime soon.  

Users are advised to tread with caution when clicking on unverified links, downloading new apps, and scanning QR codes. They should periodically check for compromised passwords across all online accounts, and regularly review their card records for unknown transactions.