That WhatsApp Wedding Card Could Be Emptying Your Bank Account

A guest you half-recognise forwards a wedding card on WhatsApp. The name looks familiar, the festive season is in full swing, and you tap to open it. Within minutes, money you didn't authorise starts moving out of your account. This is the malicious APK scam, and through 2025 and into 2026 it has become one of the most expensive frauds running on Indian phones, with police in Rajasthan, Telangana, Gujarat, Uttar Pradesh and Himachal Pradesh all issuing warnings.

The trick is simple and that is exactly why it works. The file you tapped was never a PDF or an image. It was an Android app, and by opening it you didn't read an invitation — you installed a program designed to take over your phone.

What an APK actually is

Every app on an Android phone ships as an APK file, short for Android Package. The Play Store handles these invisibly: you tap install, Google checks the app, and it lands on your screen. An APK sent over WhatsApp, Telegram or SMS skips all of that. There is no review, no publisher check, nothing standing between you and whatever the file wants to do.

Scammers disguise the APK with names like Wedding_Invitation.pdf.apk, Electricity_Bill.apk or a fake version of a courier or banking app. On a small screen the .apk ending is easy to miss, and the icon often mimics a real document or a known brand. The moment you tap install and confirm the warnings, the disguise has done its job.

How the money actually leaves

Once installed, the app asks for a stack of permissions that sound boring but are the whole game: access to your SMS, your contacts, the ability to draw over other apps, and most importantly Accessibility Service.

Accessibility Service exists for a good reason — it powers screen readers and tools for users with disabilities, letting an app see what's on screen and tap on their behalf. In the wrong hands it becomes a remote control. A malicious app with this permission can:

• Read the one-time passwords your bank texts you, the second they arrive
• See what's on screen, including account numbers and balances
• Tap buttons by itself to approve a transfer or a UPI payment
• Grant itself further permissions and hide its own activity

Because the malware reads the OTP straight from your messages and can press the confirm button itself, the usual safety net fails. You never see the OTP, never type it, and may not notice anything until the debit alerts pile up. Reported losses have run into several lakhs of rupees per victim, and the app frequently forwards itself to everyone in your contact list, so the scam spreads through real friendships rather than spam.

Why your phone let it in

Android does warn you. When you open an APK from a chat, the system flags that you're installing from an unknown source and that Play Protect doesn't recognise the app. The problem is human, not technical: in the rush of a festive forward, people tap through the warnings the same way they accept cookie banners.

Scammers also coach victims past the warnings. A follow-up message or a phone call from the "sender" might say the card "won't open unless you allow installation" or ask you to switch off Play Protect "because the antivirus is blocking the photos." Any instruction to disable a security feature to view a file is the scam announcing itself.

Seven habits that keep you safe

You don't need technical skill to shut this down. A few firm rules cover almost every case.

1. Treat every .apk in a chat as hostile. Real wedding cards come as JPG, PDF or a normal link. A file ending in .apk is always an app, never a document.
2. Install only from the Play Store. If you genuinely need an app, search for it there yourself rather than tapping a link someone sent.
3. Keep Play Protect switched on. Open the Play Store, tap your profile photo, go to Play Protect, and make sure scanning is active.
4. Lock down "Install unknown apps." In Settings, search for that option and turn it off for WhatsApp, your browser and any messaging app.
5. Guard the Accessibility menu. Periodically check Settings, Accessibility, and downloaded services. If something you don't recognise has access, that is a red flag worth investigating immediately.
6. Never disable security on instruction. No legitimate sender, bank or courier will ever ask you to switch off Play Protect or your antivirus to view a file.
7. Verify out of band. If a card or bill arrives from a known contact, call them on a number you already have. Hijacked accounts forward the malware on behalf of people who have no idea.

What 2026 changes for Android users

Google has started closing the door at the system level. Advanced Protection Mode, introduced with Android 16, restricts the Accessibility API so that only apps explicitly built as accessibility tools can use it, which strips the core weapon out of this malware's hands. The mode bundles these stricter settings into a single toggle: it blocks installs from unknown sources, forces Play Protect scans, and limits how apps can abuse sensitive permissions.

If your phone offers Advanced Protection Mode, turning it on is the closest thing to a one-tap fix for this entire category of attack. Older phones that won't get these updates remain the most exposed, which is exactly why the manual habits above still matter, especially for less tech-savvy family members.

If you've already tapped install

Speed matters more than panic. Work through these steps in order:

• Switch the phone to airplane mode at once. The malware needs an internet connection to send your data and receive commands; cutting it off buys you time.
• Uninstall the suspicious app. If it resists or hides its icon, restart the phone in Safe Mode (press and hold the power button, then long-press "Power off" until the Safe Mode prompt appears) and remove it there.
• From another device, call your bank to freeze your accounts and cards and flag recent transactions as fraudulent.
• Report to the national cybercrime helpline 1930 and file a complaint at cybercrime.gov.in. The faster a fraudulent transfer is reported, the better the chance of a freeze on the receiving account.
• Change the passwords for your banking, UPI, email and social apps from a clean device, and consider a factory reset before trusting the phone again.

The uncomfortable truth is that this scam doesn't break into your phone so much as ask politely, and millions of people say yes during a busy wedding season. The defence isn't a gadget or a paid app. It's a single reflex: a file you didn't go looking for, ending in .apk, is not an invitation. It's a stranger asking to hold your phone, your messages and your bank account all at once.