It started with what seemed like a routine message.
Ramesh Kulkarni, a small-business owner in Pune, received a WhatsApp message from what appeared to be his bank's customer support team. His account would be blocked, the message warned, unless he updated his know-your-customer (KYC) details immediately. Attached was a file labelled ‘SBI_Update.apk’ (APK-Android package kit, an installation file for a mobile app). The branding and logos on the file looked familiar to those of his bank. The urgency to update his KYC also felt real. He downloaded and installed the file.
Within minutes, his mobile turned against him. Unknown pop-ups crowded the screen. SMS messages were being sent without his doing anything. His banking app kept logging him out. By the time he understood what was happening, ₹2.8 lakh had been quietly drained through a series of unauthorised transactions.
Ramesh had installed what cybersecurity agencies are now flagging as ‘Android God Mode’ malware — a threat capable of taking near-total control of an infected smartphone, silently and systematically, while the owner watches his screen and notices nothing.
A Malware That Turns Your Phone against You
The
National Cybercrime Threat Analytics Unit (NCTAU) has issued an advisory calling this new class of Android malware among the most dangerous seen in recent times. It travels disguised as something trustworthy, like a banking app, a government service platform, or a customer support tool, arriving via phishing links and APK files dropped into messaging apps like WhatsApp and Telegram.
What makes it different from an ordinary virus is that it does not announce itself. It burrows deep into the mobile device's system, leaves no obvious trace and waits. Most users remain completely unaware that their mobile has been compromised. Life continues normally — until the money disappears.
The infection becomes truly dangerous the moment the user grants one particular permission.
One Permission Can Cost You Everything
‘Accessibility services’ in Android-run devices exist to help users with disabilities — screen readers, gesture controls, that sort of thing. They are powerful by design. And that power is precisely what this malware is engineered to exploit.
Once the accessibility permission is granted, the malware can read everything displayed on the screen. It monitors keystrokes and records user activity. It intercepts incoming SMS messages — including one-time passcodes (OTPs) sent by your bank or other service-providers. It can make calls, enable call forwarding, access your contacts, camera, and files, and perform actions on the device entirely on your behalf, without your knowledge or consent.
Perhaps most alarming: it can auto-approve additional permissions on its own. Once it has the accessibility access, you may never get full control of your device back.
This is not data theft in the conventional sense. It is a full device compromise.
The Overlay Attack: A Trap You Cannot See
One of the cleverer techniques in this malware's toolkit is the overlay attack — and it is worth understanding exactly how it works, because it is genuinely hard to detect.
When you open your banking app, the malware places a pixel-perfect fake interface directly over it. The screen looks completely identical to the real app. You type in your login credentials or PIN. Everything feels normal. What you do not see is that your details have already been captured and sent to the attacker before you have even pressed confirm. To the victim, the transaction feels routine. The theft is invisible until the bank statement arrives.
How It Spreads
The delivery mechanism relies on a combination of social media and technical sleight of hand. Fake apps impersonate banking services and government platforms. APK files land in WhatsApp chats, SMS inboxes and emails. Some apps are designed as ‘droppers’ — innocuous-looking on the surface, quietly installing hidden malware in the background after you have opened them. The messaging, which uses threats or lures (read: fear or greed), is always urgent: update your KYC, claim your refund, or contact support before your account is suspended. The goal is to make you act before you think.
No legitimate bank, government department, or official service will ever send you an APK file through WhatsApp or SMS. Ever.
That is the rule. If it arrives through a messaging app, do not touch it.
Why It Is So Hard to Remove
Ordinary malicious apps can be found and deleted. This one is built to resist. It can hide its icon so it does not appear in your app drawer. It can set itself as the default launcher, taking over the home screen. It blocks uninstallation attempts, reinstalls itself from backups and prevents you from changing system settings. Once embedded, getting it off the device without following specific steps is genuinely difficult.
Warning Signs To Watch For
Some signs that your device may already be compromised: SMS messages being sent without your initiating them. Unfamiliar apps appearing on the device. The phone is running unusually slow or getting hot for no reason. Frequent pop-ups or screen overlays on apps that normally show none. Certain apps that simply will not uninstall. Settings pages that appear locked or inaccessible. None of these is definitive proof, but any combination of them deserves immediate attention.
What To Do if Your Phone Is Infected
If you suspect your device has been compromised, follow these steps in order.
1. Boot into ‘Safe Mode’ first. This disables third-party apps, including the malware, while keeping the core system running — giving you a safer window to work in. Check your mobile handset maker’s website for specific instructions to use ‘safe mode’. Normally, you can press and hold the power button, then tap and hold the ‘power off’ or ‘restart’ option on your screen until the ‘safe mode’ prompt appears. To exit safe mode, you can simply restart your mobile from the power menu.
2. Go to ‘settings’, then ‘apps’, and remove anything unfamiliar or recently installed that you did not deliberately download.
3. Review ‘accessibility settings’ and ‘device administrator’ permissions. Disable everything that looks suspicious or that you do not recognise.
4. Switch to a trusted system launcher to break the malware's grip on the home screen.
5. Dial ##002# to cancel any call forwarding that may have been set up without your knowledge.
6. Change your UPI PIN and banking passwords immediately from a different, trusted device.
7. If the malware persists through all of this, a factory reset is the last resort. It is disruptive, but so is losing your savings.
Report the incident to the National Cyber Crime Helpline at 1930 or through cybercrime.gov.in. Your report contributes to the broader investigation picture.
Staying Ahead of the Threat
Prevention remains far easier than recovery. Never install APK files shared through WhatsApp, Telegram, SMS, or email — regardless of how official the sender appears. Only download apps from the Google Play Store or authentic app stores of the device-makers.
Think carefully before granting ‘accessibility access’ to any application; it is one of the most powerful permissions on the Android system and should almost never be given to an app you did not specifically seek out.
Keep your device's software and security patches up-to-date. Enable transaction alerts for all banking and UPI activity so any unauthorised movement is flagged immediately.
The Bigger Picture
Cybersecurity experts are clear that malware like this is not the work of opportunistic amateurs. It is part of a sophisticated, organised fraud ecosystem — one that combines psychological manipulation with serious technical engineering.
Remember, these attacks depend heavily on social engineering: getting the user to grant access themselves, willingly, in a moment of anxiety or trust.
The fraud that emptied Ramesh Kulkarni's account did not begin with a hacker breaking through a firewall or breaching the device security. It began with a message that looked real, a name he recognised and a moment of misplaced trust. His phone did not get hacked. He was persuaded to open the door.
Your smartphone is not just a device anymore. It is your bank, your identity, your personal archive. Treat it accordingly.
Stay Alert, Stay Safe!
