← Back to Feed

The file that looked like a gas bill emptied her account by morning

Six men. 999 fake apps. A database of 8,609 phone numbers with PINs and CVVs attached. The Mumbai Cyber Crime Branch says the file that arrived on your phone was never a gas bill. It was the door.

The file that looked like a gas bill emptied her account by morning

Asha was grading Class 7 English notebooks when the phone buzzed on the kitchen table. Nine forty-seven at night. The message had the small blue tick of WhatsApp and the small blue flame of an MGL logo lifted from a press release.

Dear customer. Your gas connection will be disconnected tomorrow. Please update the Mahanagar Gas app to continue service.

There was a link.

She is fifty-four. She teaches at a school in Mulund. She has paid the gas bill on the same day of every month for nineteen years because she does not like surprises and she does not like being late. The message was a surprise. The message also told her how to fix the surprise.

She tapped the link.

The phone asked if she wanted to install an app from an unknown source. She did not know what an unknown source was. She knew what Mahanagar Gas was. She tapped yes.

The app asked for permission to read SMS. She tapped yes. It asked for permission to read contacts. She tapped yes. It asked for permission to display over other apps. She did not understand what that meant. She tapped yes.

She went back to the notebooks. The phone sat on the kitchen table. The phone, by then, was no longer hers.

II. The Factory

On June 25, the Mumbai Cyber Crime Branch announced the arrest of six men in connection with what the police are calling an interstate fake APK racket. Deputy Commissioner of Police Bajrang Bansode put the numbers on the table.

3,206 cyber fraud complaints across India.

Rs 43.25 crore (about $5.2M USD) stolen.

771 complaints from Maharashtra. 123 from Mumbai alone.

The six arrested: Arif Astun Ansari, 28. Shaikh Belal Naushad, 28. Mehboob Naushad Alam, 26. Sajid Mansur Ali, 21. Mohan Kushal Mahto, 23. Sunil Kumar Dashrath Soren, 25. Pulled from Jharkhand and Delhi. Booked under the Bharatiya Nyaya Sanhita and the Information Technology Act.

The seizure list reads like the inventory of a workshop.

11 mobile phones. 9 laptops. 999 fake APK files impersonating banks, Regional Transport Offices, and Mahanagar Gas. 63 malicious APK package names. About 1.24 crore SMS records pulled from Google Firebase and Hostinger servers. A database of 8,609 mobile numbers, each one tied to a bank account number, an ATM card detail, a PIN, a CVV, a UPI handle.

That is not a scam. That is a factory.

Read the seizure list again. Each of those 999 files was a wrapper. Inside the wrapper, the same engine. Outside the wrapper, a different costume. A State Bank logo. A Mahanagar Gas logo. A traffic challan from the Mumbai RTO. The costume is what the customer sees. The engine is what eats the phone.

III. What an APK Is

An APK is an Android Package Kit. It is the file format Android phones use to install apps. The Play Store wraps these files in a layer of verification. When you install from the Play Store, the file is checked. When you install from a link in a WhatsApp message, nothing is checked. The file just runs.

That is the door the factory uses.

The pitch is always the same shape. A message. An urgency. A link. A logo you trust. A permission screen you do not read. An app you cannot easily uninstall because it has hidden its icon.

Asha did not know any of this. She knew her gas bill. The factory knew that too.

IV. The Pipe

Once the app was on Asha's phone, it did what it was built to do. It read the next SMS that arrived. When her bank sent her a one-time password to verify a transaction she had not authorized, the password did not stay on her phone. It went to a server. The transaction cleared.

Rs 2.35 lakh (about $2.8K USD) left her account before she finished the notebooks.

The money did not stop there. According to the investigators, funds in cases like hers move through mule accounts. A mule account is a bank account opened in someone else's name, often a person paid a few thousand rupees to hand over their KYC documents. The money lands there. It is moved again. It is converted to cash at an ATM in a town Asha has never been to. By the time anyone files a complaint, the chain is cold.

The SMS records, the 1.24 crore of them, sat on Google Firebase. Firebase is a Google service for developers. It is meant to host apps. It will host whatever you point it at. Hostinger held the rest. These are not shady servers in a basement. These are the same tools a legitimate startup uses to launch a product. The factory used them because they work.

That part may be the saddest. The infrastructure of the open internet, the same pipes that carry every legitimate service, carried Asha's PIN to a database in a folder named for a city she does not know.

V. The Pattern

This is not one factory. It is many factories, running the same blueprint, in the same week.

June 25, Ahmedabad. Cyber Crime there arrested Poornanad Tiwari, described as a mastermind from Jamtara, linked to Rs 70 lakh ($84K USD) in Ahmedabad losses alone, charged with developing and selling fake APKs.

June 25, nationwide. The CBI ran Operation Chakra-VI, raiding more than 80 locations across 16 states. The target was "digital arrest" scams. Approximately Rs 2 crore ($240K USD) had moved through mule accounts in connected cases.

June 19, Delhi. CyHawk 5.0. 916 arrests. 7,189 detentions. Rs 3.59 lakh ($4.3K USD) recovered for victims, against losses that almost certainly run into the hundreds of crore.

Karnataka reported a 190.46% surge in APK fraud cases between 2025 and April 2026. 458 cases by April. Projected 1,374 for the year.

Picture it. Picture a country in which 12 lakh APK scam reports have been filed on the National Cyber Crime Reporting Portal since early 2025. Picture the workshops behind each one. Picture the 8,609 names in the Mumbai database, each one a person who tapped yes.

VI. What Asha Held

Asha called her bank the next morning. The bank told her to file a complaint at the cyber cell. The cyber cell told her to file at the national portal. The national portal gave her a reference number. The reference number was eleven digits. She wrote it on the back of one of the Class 7 notebooks because that was what was on the kitchen table.

The notebook was open to a paragraph about a girl who saved her family from a flood.

The money has not come back. The complaint sits with the others. According to the Mumbai investigators, 123 of those others are from Mumbai. 771 are from Maharashtra. The remaining 2,435 are from somewhere else, also in someone's kitchen, also next to something open on a table.

VII. The Renaming

The press is calling this a fake APK scam. That is the polite name.

The real name is the SMS pipe. The OTP intercept. The mass-impersonation kit. 999 wrappers around one engine, distributed by six men from two states, fed by a database of credentials harvested at scale. That is not a scam. A scam is one person lying to another person. This is industrial. This is a supply chain.

The press release gets the arrests. The database gets the silence. The DCP gets the podium. The 8,609 names get a folder on a server somewhere. The six accused get their photographs in the paper. The factory gets a new address.

VIII. The Door

The Mumbai Cyber Crime Branch has shared its findings with the Indian Cyber Crime Coordination Centre. The six accused face charges. Allegation is not adjudication. The investigation continues.

The next message arrives tomorrow. It will look like a courier delivery. Or an electricity bill. Or a traffic challan from an RTO in a city you visited once. It will have a link. The link will ask you to install something. The something will ask for permission to read your SMS.

Asha tapped yes because she did not want her gas cut off. She was not careless. She was on time. She was a person who paid her bills.

The factory does not need you to be careless. It needs you to be on time.

Evidence Trail
  1. Mid-day | June 25, 2026 | "Mumbai Cyber Crime Branch arrests six in fake APK scam linked to Rs 43.25-crore fraud across India"
  2. Mumbai Cyber Crime Branch press briefing | June 25, 2026 | DCP Bajrang Bansode
  3. Indian Cyber Crime Coordination Centre (I4C) | shared findings reference
  4. National Cyber Crime Reporting Portal | aggregate APK scam statistics, 2025-2026
  5. CBI Operation Chakra-VI | June 25, 2026 | nationwide raid disclosures
  6. Delhi Police CyHawk 5.0 | June 19, 2026 | operation summary
  7. Ahmedabad Cyber Crime | June 25, 2026 | Poornanad Tiwari arrest
  8. Karnataka cyber crime quarterly report | April 2026 | APK fraud surge data

Editorial Notice

MarkTell is a true crime publication about financial fraud. Some scenes, dialogue, and sequential details are reconstructed from court filings, enforcement actions, news reports, and public records. Where the public record does not provide exact details, editorial reconstruction is used to convey the documented pattern of events. Names of private individuals may be changed to protect identity. All factual claims are sourced to public documents cited in the Evidence Trail above. MarkTell does not provide investment, legal, or financial advice. Nothing published here constitutes a recommendation to buy, sell, or avoid any investment. Allegations described in active cases have not been adjudicated and defendants are presumed innocent until proven guilty. Readers should conduct their own due diligence before making financial decisions.