Police have detected a new way in which fraudsters are trying to target Kolkatans by sending them a link through text messages telling them that a hefty amount has been credited into their gaming accounts.
If one clicks such a link to claim the money, that may lead to transfer of all money from his or her account to the fraudsters’ even without sharing any One Time Password, the police said.
Sleuths are calling it the Android Programming Kit (APK) fraud as victims, by clicking links sent by fraudsters, are unknowingly downloading APK files that compromise their phones.
The downloading of APK files results in the installation of an SMS-forwarding software in the phone that diverts all incoming text messages to another number so that the victim does not get any SMS alert when money is debited from his or her account, said an officer of the cyber cell at Lalbazar.
“This is a new modus operandi of fraudsters to get remote access to the phones of their targets. They are using the name of a popular gaming site to lure people into their trap by claiming that a large amount has been credited into their gaming account,” the officer said.
Several Calcuttans The Telegraph spoke to said they had received messages that state: “Hi 9830xxxxx9 (mobile number of the recipient), Transaction successfully done of Rs 96793 to your (online gaming app's name) A/C. Click m01.in/2bbdub!94 to withdraw it Now. ADSPL.”
The police said that after being cheated the victims fail to realise how it happened because they had never shared any OTP with any stranger.
A senior officer of the police said unlike other fraudulent messages, which are sent from random phone numbers and are not personalised, the messages sent as part of the APK fraud are designed to address the recipients.
“Earlier, text messages were sent at random. But these messages carry the phone number of the person to whom it is being sent, to make it look authentic and trustworthy,” said the officer.
Once the recipient clicks the link in the message, two attachment files appear on the screen.
“Clicking the first attachment will silently install a screen-sharing app in the phone, through which the fraudsters have direct access to the phone. The second attachment, if clicked, leads to the installation of an SMS-forwarding software in the phone so that the person does not receive any text messages from his or her bank when fraudsters carry out transactions using the screen-mirroring software,” said the officer.
Deputy commissioner, cyber crime, Kolkata police, Atul V., said creating awareness on the APK fraud was one of their major focus areas.
"We have reports that such fraudulent messages are being sent in bulk, making people vulnerable to such frauds. Creating awareness against APK fraud is one of our areas of focus at this moment," Atul told this newspaper.
A cyber expert said the APK fraud programme has been designed in a way that if a victim reports the matter to the police, it would be difficult to track down the fraudsters through the link in the message because it remains active for a few hours.
"We have come across many such cases where people have received such fraudulent text messages with a spurious link. If the link is clicked after a certain period, it will only direct you to a popular search engine. That means the link remains active only for a few hours, after which even the law-enforcement agencies cannot track the APK files or the transactions that have been made," said a cyber expert in Kolkata.