Scam Alert: Public warned of new digital scam involving malicious APK files

Sri Lanka Police have announced that it successfully identified information regarding a new digital scam targeting bank accounts.

Issuing a statement, the Police Headquarters noted that it has identified in this fraudulent method, if an Android application file (APK) received from an unknown number—or even from a contact posing as a friend—is downloaded and opened, hackers may gain complete control of the victim’s mobile phone. 

As a result, sensitive information such as SMS messages and one-time passwords (OTPs) can be accessed, enabling criminals to unlawfully access and withdraw funds from bank accounts, said police.

Due to this threat, police have advised the general public to remain vigilant when opening messages. Authorities have observed that smartphone users in the country are receiving such APK files via social media applications, including WhatsApp and Telegram.

An APK (Android Package Kit) file is an installation package used to install applications on Android smartphones. These files are often circulated via social media platforms, disguised as wedding invitations, electricity bills or lottery notifications. If opened under the assumption that they are images or PDF documents, they may be automatically installed as malicious applications on the device.

Once installed, hackers may gain the ability to monitor and control the contents of the mobile phone. This includes reading incoming SMS messages, allowing confidential OTP codes related to banking transactions to be intercepted without the user’s knowledge, said police.

Therefore, the public has been advised not to download or open suspicious APK files under any circumstances, even if they appear to have been sent by a known contact. 

When installing mobile applications, users should rely only on official sources such as the Google Play Store or Apple App Store. It is also recommended to ensure that the “Install Unknown Apps” setting remains disabled on mobile devices.

Sri Lanka Police further advise that individuals who may fall victim to such scams should immediately inform their respective banks to suspend accounts and report the incident to the nearest police station or the Computer Crime Investigation Division of the Criminal Investigation Department (CID).