Ahmedabad Cyber Crime busts Jamtara APK fraud gang, mastermind arrested from moving train

The Ahmedabad Cyber Crime Cell has busted an alleged inter-state Jamtara-based APK fraud syndicate, arresting three accused, including the alleged mastermind who developed malicious Android application package (APK) files used to steal banking credentials and siphon off money from victims across India.

The alleged mastermind, Purnanand alias Mukesh Tiwari (28), was arrested from a moving train travelling from Kolkata towards Srirampur with the assistance of the Railway Protection Force (RPF). Police also arrested Vikas Das (33) and Sitaram Nakul Mandal (26) for their alleged roles in distributing malware and facilitating cyber fraud.

Fake Sabarmati Gas message triggered probe

The investigation began after Naresh Devanand Sabna, a resident of Hansol, lodged a complaint alleging that he received a WhatsApp message claiming to be from Sabarmati Gas Limited. The message warned that his gas connection would be disconnected unless he updated his previous month's bill and asked him to download an APK file named "Sabarmati Gas Bill Update.apk."

According to police, after the complainant installed the APK, the malware allegedly gained unauthorised access to his mobile phone, allowing fraudsters to steal banking credentials, intercept one-time passwords (OTPs) and remotely operate his device. Police alleged that ₹6.68 lakh was fraudulently transferred from his HDFC Bank account through multiple transactions.

The victim immediately contacted the 1930 National Cyber Crime Helpline before registering an FIR with the Ahmedabad Cyber Crime Police Station.

Mastermind identified through technical analysis

Police said extensive technical analysis and intelligence gathering led investigators to identify Tiwari, a native of Giridih, Jharkhand, currently residing in Mumbai, as the alleged developer of the malicious APK files.

With assistance from Divisional Security Commissioner Sandeep Kumar, Kishanganj RPF Inspector Hridayesh Kumar Sharma and their teams, Ahmedabad Cyber Crime officers intercepted and arrested Tiwari from the moving train.

Investigators alleged that Vikas Das supplied the malicious APK files to nearly 400 cyber fraudsters, while Sitaram Mandal arranged bank cards and distributed malware to other members of the network.

Telegram bot functioned as cybercrime marketplace

According to investigators, Tiwari created a Telegram bot that allowed cybercriminals to purchase customised malware disguised as mobile applications of banks, utility providers and government agencies.

Police alleged the bot offered fake APKs bearing the names of trusted organisations, including SBI KYC, SBI Reward, Axis Bank, Bank of India, IndusInd Bank, Federal Bank, Union Bank, Mahavitran, BSES Bill Update and RTO.

After making payments through SBI YONO Cash, buyers allegedly received customised APK files capable of stealing sensitive information from victims' smartphones.

Investigators further alleged that Vikas Das withdrew money using SBI YONO Cash from ATMs before delivering the cash, after deducting his commission, to Tiwari in Mumbai, thereby attempting to conceal the financial trail.

Malware gave fraudsters complete control of phones

Police said forensic analysis showed the malware could remotely access infected smartphones, read SMS messages to capture OTPs, access contacts, photographs and WhatsApp chats, monitor notifications, steal banking credentials and remotely operate banking applications to transfer money.

Officials also alleged that the malware automatically propagated itself by forwarding malicious APK files to victims' WhatsApp and Telegram contacts, allowing the fraud to spread rapidly.

Investigators have also recovered information relating to domains, servers, email accounts and other digital infrastructure allegedly used to develop and distribute the malware.

Multiple cybercrime cases under investigation

According to police, all three accused have criminal antecedents, with multiple cybercrime cases registered against them in Jharkhand and Uttar Pradesh involving cheating, forgery, identity theft, criminal conspiracy and offences under the Information Technology Act.

Investigators are now examining whether the accused are linked to several other cyber fraud complaints registered through the 1930 helpline, involving financial losses ranging from several lakh rupees to over ₹15 lakh.

Police said further investigation is underway to identify other members of the alleged cybercrime network and trace additional victims.