A Seemingly Simple Call, A Life-Changing Scam
On July 20, 2024, a Lucknow resident received a casual phone call that seemed no different from a routine Aadhaar card update request. The caller posed as an official, assuring him that an Aadhaar verification was pending and needed immediate attention. A WhatsApp message followed, carrying a file named “iMobile.apk.” Unknowingly, the victim clicked, installed the app and that’s when his nightmare began.
What looked like a simple update turned out to be a full-blown Remote Access Trojan (RAT) attack, a malware capable of granting cybercriminals total access to a person’s mobile phone.
Over the next few hours, the attackers monitored his phone activity, intercepted bank OTPs (One-Time Passwords), read his messages, and executed five unauthorized transactions, totaling a staggering ₹8.70 lakh.
The worst part? The victim had no idea it was happening in real time.
Understanding the Cybercrime Lingo
To make sense of how this scam worked, let’s break down some of the technical terms:
RAT (Remote Access Trojan): A malicious software that gives attackers control over your device, letting them view your screen, read messages, access files, and even operate apps.
APK File: The installation file format for Android applications. Unlike apps downloaded from the Google Play Store, these files can be tampered with by cybercriminals to carry harmful malware.
OTP (One-Time Password): A unique, short-lived code sent to your phone or email, commonly used to verify identity during online banking or secure transactions. In this scam, RAT malware intercepted OTPs without the victim’s knowledge, allowing fraudsters to make unauthorized bank transfers.
The Legal Side: What Laws Are Involved?
This incident falls under several cybercrime provisions under Indian law, specifically the:
Information Technology Act, 2000
Section 66C: Covers identity theft, which includes the unauthorized use of someone’s Aadhaar number and banking details.
Bharatiya Nyaya Sanhita (BNS), 2023
India’s recently implemented criminal code, replacing the IPC, also covers such cyber offenses. Relevant provisions include:
- Unauthorized Bank Transactions (Deception/Fraud):
BNS 2023, Section 318 (Cheating): Covers inducing someone through deception to deliver property (e.g., money in unauthorized transactions). Specifically, Section 318(4) focuses on situations where someone tricks or persuades a person into handing over their property.
- Digital Identity Misuse (Aadhaar fraud, impersonation, data breach):
Section 319 of the Bharatiya Nyaya Sanhita, 2023 focuses on cases where an individual pretends to be someone else whether online or offline with the intent to deceive or gain unlawfully. In simpler terms, it punishes anyone who pretends to be someone else, especially online, to deceive others. Whether it’s using someone’s identity to create fake social media profiles, trick people into sending money, or impersonate a government official, this law ensures such digital impersonation doesn’t go unchecked.
IT Act 2000:
Section 43: Penalties for unauthorized access/damage to computers and data.
Section 43A: Holds companies accountable if they fail to safeguard sensitive personal data, making them liable to pay compensation in case of a data breach caused by negligence.
Section 66: General computer-related offenses (e.g., data theft).
Section 66C of the Information Technology Act, 2000 deals with identity theft. In everyday terms, it applies when someone wrongfully uses another person’s digital identity like their Aadhaar number, passwords, or electronic signatures to impersonate them or commit fraud. Whether it’s accessing a bank account or signing a document without permission, this section ensures there are strict penalties for misusing someone’s personal digital information.
Section 66D deals with cases where someone pretends to be another person online like through emails, messages, or fake profiles to deceive and cheat others. If caught, the person can face legal punishment for using digital means to commit fraud.
Aadhaar Act 2016: Contains specific offenses and penalties for Aadhaar-related fraud and misuse.
The Bigger Picture: It’s Not Just One Case
The Lucknow case is a stark warning but it’s far from isolated. Here’s a look at other recent incidents that show how India is in the grip of a digital scam epidemic:
The Digital Arrest Racket
A Lucknow man was held “digitally hostage” for two hours by scammers pretending to be Narcotics Control Bureau officers. They forced him into a video call and convinced him he was under investigation for money laundering. The result? A total loss of ₹11.5 lakh was reported, much of it siphoned off through a fraudulent personal loan taken in the victim’s name without their knowledge.
The Deepfake Trap
In Maharashtra, an academic lost nearly ₹95 lakh to a sophisticated deepfake scam where impostors video-called him pretending to be Delhi Police officials. Scammers used AI to create lifelike faces, clone voices, and deliver threats that sounded just like real officials making the entire con feel disturbingly authentic.
Legal Remedies: What Can You Do?
If You Are a Victim:
Disconnect Your Device Immediately. Turn off mobile data/Wi-Fi to block further access.
File a Complaint on the National Cyber Crime Portal or dial the helpline 1930.
Visit the Nearest Cyber Crime PS and register an FIR under the IT Act and BNS sections mentioned above.
Reach out to your bank immediately to block your cards or freeze your account and raise a dispute for any unauthorized transactions.
Reset Your Passwords and reinstall the phone’s OS (factory reset recommended).
Retain Evidence: Save all messages, call recordings, and screenshots for investigation.
Legal Tip: Ask your lawyer to file for a Section 420 (cheating) charge along with digital fraud clauses. You may also invoke Section 43A of the IT Act to claim damages from financial intermediaries if negligence is proven.
Cyber Hygiene: How to Stay Safe
Here are simple steps to avoid falling victim to such scams:
Avoid installing .APK files that come through WhatsApp, emails, or social media links even if they look trustworthy. These files can be traps hiding harmful software. To protect your device and data, always use verified sources like the official Google Play Store or the genuine UIDAI Aadhaar app for downloads.
Don’t trust Aadhaar update calls. UIDAI never asks for sensitive information or sends update links via WhatsApp.
Never share your OTP with anyone no matter how official they sound. Even if someone says they’re from your bank or Aadhaar center, real authorities will never ask for it.
Enable 2-factor authentication for all banking and email accounts.
Make sure you’re using trusted antivirus software and keep your device’s operating system updated. These simple steps act like a daily health checkup for you.
The Role of BNS + IT Act: A New Legal Synergy
India’s transition from IPC to the Bharatiya Nyaya Sanhita (BNS) in late 2024 is a game-changer for digital crime management.
BNS integrates better with the Information Technology Act, 2000, ensuring:
Faster trial timelines for cybercrime
Enhanced coordination between Police, CERT-In, and UIDAI
Provide easy-to-understand explanations for terms such as “digital impersonation” pretending to be someone else online using their name, photo, or credentials and “data fraud” illegally using or manipulating personal information for deceitful gain.
This new legal framework empowers not just law enforcement, but also victims, by simplifying procedures and broadening the scope of digital redressal.
What Authorities Are Doing
Law enforcement agencies are not sitting still.
UP Cyber Cell has set up specialized RAT-monitoring units.
STF operations have busted gangs with links to Dubai and China, recovering ₹1.07 crore and over 100 mobile devices.
New government campaigns are educating users in rural and tier-2/3 cities about Aadhaar safety and mobile malware risks.
Police in Jharkhand and UP have launched cyber-literacy programs for students and senior citizens.
Courts are also taking stern views, awarding compensation in multiple cases, especially where digital negligence or platform lapses are evident.
Final Takeaways: What You Should Remember
If it looks official, double-check: Aadhaar calls or updates will never come via WhatsApp. Trust official apps only.
Be proactive: Even one suspicious app could cost you your life savings.
Know your rights: Laws under BNS and IT Act empower you to report and seek compensation.
Act fast: Time is critical in cyber fraud freeze accounts, file FIRs, and seek expert help.
Legal support matters: Don’t fight alone cyber law specialists like Ashish Agrawal can help you navigate the maze.
Also read about How a 21-Year-Old’s Phishing Kits Powered a Global Scam Legal Lessons for India’s New Cyber Laws
One thought on “Malware Masquerading as Aadhaar App Cheats Lucknow Man of ₹8.7 Lakh ; Here’s the Shocking Story”