AHMEDABAD: In a major breakthrough against cybercrime, the Ahmedabad Cyber Crime Police has dismantled a highly sophisticated syndicate linked to the infamous Jamtara network, exposing a well-organised racket that used malicious APK files to infiltrate mobile phones and drain victims' bank accounts.
The operation was launched following specific directions from Deputy Commissioner of Police Lavina Sinha.
Acting under the supervision of Assistant Commissioner Hardik Mankadiya, a dedicated investigation team was formed to trace the cyber criminals behind the growing number of complaints received through the National Cyber Helpline.
Investigators conducted a detailed analysis of multiple cyber fraud complaints registered at the Ahmedabad Cyber Crime Police Station. Technical intelligence, digital forensics and human intelligence inputs revealed a common pattern: victims were being tricked into downloading malicious APK applications under the guise of utility bill updates, bank KYC verification, customer support services and government-related notifications.
The investigation gained momentum after a complaint lodged by Hansol resident Naresh Sabnani. According to the complaint, he received a WhatsApp message purportedly sent on behalf of Sabarmati Gas Limited warning that his gas connection would be disconnected unless his pending bill was updated immediately. The message directed him to contact a so-called "Bill Update Officer" and download an application named "Sabarmati Gas Bill Update.apk."
Believing the communication to be genuine, the victim downloaded the application.
However, within moments, the malware silently took control of his mobile phone. The fraudsters gained unauthorised access to sensitive information stored on the phone, including banking credentials and authentication details. Subsequently, multiple fraudulent transactions were executed from his HDFC Bank account, resulting in a loss of Rs 6.68 lakh.
Following the complaint, Ahmedabad Cyber Crime Police registered a case under relevant provisions of the Bharatiya Nyaya Sanhita (BNS) and the Information Technology Act (ITA) and launched an intensive investigation to identify the individuals operating behind the cyber infrastructure.
The breakthrough came when investigators traced the digital trail to the alleged mastermind behind the malware operation. Technical analysis revealed that the malicious APK files had been developed by Purnanand alias Mukesh Tiwari, who allegedly designed and managed several malwares used by cyber fraudsters.
In a coordinated interstate operation, Ahmedabad Cyber Crime officials, assisted by Railway Protection Force personnel and railway security officials, tracked and apprehended the accused from a running train travelling from Kolkata to Sairang. Police described the arrest as a critical breakthrough in dismantling the cyber network.
Further investigation led to the arrest of Vikas Das, who allegedly acted as the primary distributor of the malicious APK files. Police said he supplied the malware to nearly 400 cyber criminals operating across different regions. Another accused, Sitaram Nakul Mandal, was arrested for allegedly arranging credit and debit card details and facilitating financial channels used for laundering fraud proceeds.
The probe uncovered a startlingly organised cybercrime infrastructure. Investigators found that the main accused had created a dedicated Telegram Bot that functioned as an underground marketplace for cyber criminals. Through the bot, users could purchase, download, renew or replace various APK files specifically designed for different fraud campaigns.
According to investigators, the Telegram bot offered malware templates impersonating leading banks, financial institutions and utility service providers. Fraudsters could select APK packages designed to mimic SBI KYC updates, SBI Rewards, Axis Bank services, Bank of India notifications, RTO alerts, electricity bill updates, credit card services and numerous other customer-facing platforms.
Police said the purchase and distribution mechanism was deliberately designed to conceal the identities of both buyers and sellers. Cyber criminals purchasing APK files were allegedly instructed to make payments using SBI's YONO Cash facility.
After receiving transaction details and OTP credentials, the accused would withdraw cash from ATMs, retain commissions and personally transfer the remaining money to the malware developer, thereby avoiding conventional banking trails.
Investigators also discovered that Sitaram Mandal allegedly supplied APK files to other cyber criminals while simultaneously arranging bank cards and financial accounts through which stolen funds could be routed and withdrawn.
The investigation further revealed how the malware operated once installed on a victim's device. The APK files granted fraudsters remote access to mobile phones, enabling them to monitor SMS messages, intercept OTPs, access contacts, read notifications, track call logs and collect confidential banking information. Armed with this data, the accused allegedly logged into victims' banking applications and transferred money directly from their accounts.
Police recovered multiple malicious APK files during searches of the accused persons' devices. Several of these applications were found masquerading as services linked to banks, customer support platforms and financial institutions.
Investigators also seized technical evidence related to domains, servers, e-mail accounts and backend infrastructure allegedly used to run the cyber fraud operation.
One of the most alarming findings of the investigation was the malware's self-propagating mechanism. Police said the APK files were not merely sent to individual victims. Once installed, the malware automatically forwarded itself to all WhatsApp and Telegram groups connected to the infected user's device.
Every new victim unknowingly became a carrier, triggering a chain reaction that enabled the malicious application to spread rapidly across thousands and potentially lakhs of mobile phones within days.
"These cyber criminals operated a highly structured and systematic fraud network. They used fake utility alerts, KYC update messages, banking notifications and customer service communications to lure victims into downloading malware. Once access was gained, they stole banking credentials, intercepted OTPs and transferred money from victims' accounts. The investigation has exposed an organised cyber ecosystem involving malware developers, distributors and financial facilitators," officials associated with the investigation said.
Police believe the arrests have disrupted a major cyber fraud network, but investigators are continuing to probe additional suspects, financial trails and technical infrastructure linked to the operation.
Further arrests are expected as the investigation progresses.