That Wedding Invite APK on WhatsApp Can Empty Your Phone

Wedding season in India now comes with a quiet second guest list: scammers. The wedding invitation APK scam has become one of the most effective ways criminals are draining bank accounts, and it relies on something disarmingly ordinary — a message that looks like a digital shaadi card from a number you half-recognise. One tap, a couple of careless permissions, and the phone stops being yours.

The trick has spread because it weaponises good manners. Nobody wants to ignore a wedding invite. The file is often named something like Sharma_Wedding_Invitation with a card thumbnail, and the sender sounds apologetic and warm. What the victim doesn't notice is the three letters at the end of the file name: .apk.

Why a Wedding Card Is Actually an App

A real e-invite arrives as a PDF, an image, or a web link. An APK is something entirely different — it is an Android application package, the same format the Play Store uses to install software. When you tap one, you are not opening a card. You are installing a program written by a stranger.

Scammers disguise the installer with a wedding-card icon and a friendly name so the brain registers "invitation" instead of "app". The same playbook runs under other costumes through the year: a fake fund transfer receipt, a courier-delivery update, an electricity-bill app, a vaccine certificate, a baby-shower or housewarming card. The wrapper changes; the .apk underneath does not.

Because Android allows installing apps from outside the Play Store — a feature called sideloading — the system is happy to run this file once you approve it. That single design choice, useful for developers, is the doorway the whole scam walks through.

What the Malware Does Once It's In

Installing the app is only step one. The real damage comes from the permissions it asks for, and most people grant them on autopilot. The dangerous one is Accessibility Service, a tool built so that visually impaired users can have their screen read aloud and navigated automatically.

In the wrong hands, Accessibility becomes a remote pair of eyes and hands. Granted that single permission, the malicious app can:

• Read everything displayed on screen, including your banking app and balances
• See incoming OTP messages and one-time passwords as they arrive
• Tap buttons, type, and approve transactions on your behalf, invisibly
• Hide its own notifications and silence alerts so you stay unaware
• Overlay fake login screens on top of real banking and UPI apps to harvest your PIN

Many variants also grab SMS permissions outright, so the OTP your bank sends never reaches your eyes — it is intercepted and forwarded to the attacker. With your card details phished through a fake form and the OTP captured silently, a transaction completes while the phone looks idle in your pocket. Some strains go further and lock you out, demanding a ransom, or quietly message the same poisoned file to your entire contact list, because a card from a friend is far more convincing than one from a stranger.

The Telltale Signs Before You Tap

The scam survives on a half-second of inattention. Slow down at the moment a file arrives and the giveaways are obvious.

1. The file extension. Genuine invites never end in .apk. If you can see the file name, check the last letters. PDF, JPG or PNG is normal; APK is a red flag every time.
2. An install prompt. Opening a photo or PDF never asks to install anything. The moment your phone says it wants to install an app from this file, stop.
3. A request for unknown sources. If the phone warns that installing from this source is blocked and offers to allow it, that warning is protecting you. Do not override it.
4. Odd sender behaviour. A wedding invite from an unsaved number, a foreign country code, or a contact who "can't talk right now, just open the card" deserves suspicion.
5. A demand for Accessibility. No invitation, receipt or bill needs to control your screen. Any app asking for Accessibility right after install should be cancelled and uninstalled.

Locking Your Phone Down Before Anything Arrives

A few settings, changed once, neutralise this entire category of attack. Treat them as standing hygiene rather than a reaction to a specific message.

• Disable installs from unknown sources. On most phones this lives under Settings > Apps > Special app access > Install unknown apps. Set every app, especially WhatsApp and your browser, to "Not allowed". This alone stops the sideload.
• Keep Google Play Protect on. It scans apps and frequently blocks known malicious APKs before they run. Open the Play Store, tap your profile, and confirm Play Protect is active.
• Install only from the Play Store. If an app genuinely exists, it is on the official store. There is almost never a legitimate reason to install a .apk a stranger sent you.
• Audit your Accessibility menu. Open Settings > Accessibility and look at which services are switched on. If you see anything you don't recognise, turn it off and uninstall the app behind it.
• Lock your SIM and SMS. A SIM PIN and a careful eye on SMS permissions limit how easily an attacker can intercept your OTPs.
• Set a separate UPI and screen-lock PIN. Reusing the same four digits everywhere means one leak unlocks everything.

If You've Already Installed It

Panic wastes the minutes that matter. Move in order.

First, cut the malware off from the internet: switch on airplane mode or remove the SIM, so it cannot exfiltrate data or receive commands. Next, restart the phone into Safe Mode — usually by long-pressing the power button, then long-pressing the "Power off" option until "Reboot to safe mode" appears. Safe Mode runs only system apps, which stops the malware and lets you delete it without it fighting back. Uninstall the suspicious app and revoke any Accessibility permission it held.

Then assume your credentials are compromised. From a clean device, change your net-banking, UPI and email passwords, and call your bank to freeze or flag the account. If money has already moved, report it immediately on the national cyber-fraud helpline 1930 and file a complaint on the cybercrime portal; the first few hours give the best chance of a freeze on the receiving account. When in doubt about how deep the infection went, a full factory reset after backing up your photos is the cleanest cure.

Why This Scam Keeps Working

The uncomfortable truth is that the technology is doing exactly what it was designed to do. Sideloading exists so people can install apps Google doesn't host. Accessibility exists so disabled users can operate their phones. Neither is a bug. The scam simply borrows legitimate features and points them the wrong way, then dresses the whole thing in social occasions Indians are culturally primed not to refuse.

That is also why awareness beats any single setting. Software updates and Play Protect catch known threats, but the wrapper keeps changing — wedding card today, festival greeting or income-tax refund tomorrow. The one habit that survives every new disguise is boringly simple: never install an app from a file someone sends you, no matter how warmly they ask. Forward the suspicious message to your family group with a warning instead. In a country where the digital invite has all but replaced the printed card, that small reflex is now part of basic financial safety.