Business Recorder
KARACHI: Fake Android Package Kit (APK) files have emerged as a growing cyber threat to banking consumers in Pakistan, as fraudsters increasingly use malicious apps to hijack mobile phones, steal banking credentials and carry out financial fraud. Fraudsters commonly approach users through SMS, WhatsApp, Telegram, social media messages, fake courier alerts, challan payment links, investment offers, tax notices, bank-related messages or IPTV links. The message usually asks the consumer to download an APK file instead of using a verified app from Google Play Store or an official company website. Once installed, the fake app may seek dangerous permissions such as Accessibility, screen overlay, SMS access, notification access, device admin rights or background control. These permissions can allow criminals to monitor the screen, read OTPs, capture passwords, create fake banking screens, approve transactions and transfer money without the user’s consent. The banking sector has warned Pakistani consumers against installing unknown APK files and urged them to download apps only from trusted sources. The most important reminder for consumers is simple: no bank, courier company, government department or reputable business will ask users to install an APK file through WhatsApp, SMS or an unknown link, they said. Talking to Business Recorder , Ahmed Ali Siddiqui, Group Head Consumer Finance Meezan Bank has warned that such apps can also hide themselves by removing their app icon, making detection difficult for ordinary users. In many cases, victims only realize the fraud after money has already been transferred from their accounts. He said consumers should treat sudden battery drain, overheating, random pop-ups, unknown apps, disappearing apps, slow phone performance, unexpected OTPs and accessibility permissions granted to unknown apps as warning signs. Any such behavior should be taken seriously, especially if the user recently installed an app through a link received on WhatsApp, SMS or any unofficial source. Banking consumers are advised never to install APKs sent through links, messages or unknown websites. Apps should only be downloaded from Google Play Store or official websites. Users should also keep Android and banking apps updated, enable Google Play Protect, avoid giving risky permissions to untrusted apps, and use strong passwords with two-factor authentication, he urged. If a consumer suspects that a fake APK has been installed, they should immediately disconnect the phone from the internet, remove suspicious apps, revoke risky permissions and change banking passwords from another secure device, Ahmed said. Copyright Business Recorder, 2026
Go to News Site