A 60-year-old retired man from Maharashtra's Thane district and 21 others have allegedly fallen victim to a cyber fraud involving a fake gas bill update message. According to police, the victims collectively lost more than Rs 31 lakh after cybercriminals tricked them into downloading a malicious application disguised as a utility bill update.The incident serves as another reminder of the growing threat posed by online scams that exploit trusted brands and everyday services to steal money and sensitive banking information.Fake gas bill update link leads to cyber fraudAccording to police, the complainant, a resident of Khadakpada in Kalyan, received a WhatsApp message on May 30 from an individual identifying himself as "Divesh Joshi".The message claimed that the recipient needed to update details related to his gas bill payment. To complete the process, the sender shared an APK file named:"Mahanagar Gas bill update http://Online.apk"The victim was instructed to download the file and make a nominal payment of Rs 10 using his debit card.Retired man loses Rs 8.68 lakh after downloading APK filePolice said the complainant initially attempted to make the payment using one debit card, but the transaction allegedly failed.The sender then advised him to use another card.Shortly afterwards, the victim began receiving one-time passwords (OTPs) on his mobile phone. Before he could react, unauthorised transactions were carried out from his bank accounts.Officials said a total of Rs 8.68 lakh was withdrawn from his two bank accounts through six separate transactions.Investigators suspect that the APK file contained malicious software designed to gain access to sensitive financial information.21 more victims cheated in similar online scamDuring the investigation, police discovered that the fraud was not limited to a single victim.According to officials, 21 other individuals were allegedly targeted using a similar method and collectively lost Rs 22.74 lakh.The total amount siphoned off from all victims stands at approximately Rs 31.43 lakh.Authorities are now investigating whether the fraud is linked to a larger cybercrime network targeting consumers through fake utility service messages.Police register case under BNS and IT ActThe Khadakpada Police have registered a case against the unidentified accused.The case has been filed under Section 318(4) of the Bharatiya Nyaya Sanhita (BNS), which deals with cheating, along with relevant provisions of the Information Technology Act.Officials are working to trace the individuals behind the scam and identify the digital infrastructure used to carry out the fraud.What is an APK scam?An APK file is the installation package used for Android applications.Cybercriminals often disguise malicious APK files as legitimate applications, invoices, bill payment updates or service notifications. Once downloaded and installed, these files can gain access to sensitive information stored on a user's device.In some cases, malware can intercept SMS messages, capture OTPs, steal banking credentials or remotely control parts of the device.Because APK files can be installed outside official app stores, they pose a significant cybersecurity risk when downloaded from unknown sources.How cybercriminals use fake bill payment messagesCyber fraudsters increasingly exploit trusted utility brands, telecom companies and government services to deceive users.These scams typically involve:Fake electricity bill update messagesFraudulent gas bill notificationsBogus KYC verification requestsFake bank account update alertsCounterfeit customer support messagesThe objective is often to persuade users to click suspicious links, install malware or reveal confidential financial information.Cyber safety tips to avoid APK and WhatsApp scamsCybersecurity experts recommend the following precautions:Never install APK files from unknown sourcesOnly download applications from trusted platforms such as official app stores. Avoid installing APK files received through WhatsApp, SMS or email.Verify messages independentlyIf you receive a bill payment or account update request, contact the company directly using official customer care numbers rather than responding to the message.Do not share OTPsBanks, utility providers and legitimate organisations never ask customers to share OTPs over calls, messages or social media.Check sender details carefullyFraudsters often use names that resemble genuine companies. Verify the source before clicking any link.Enable banking alertsSMS and email alerts can help customers identify unauthorised transactions quickly and report them to their banks.Keep devices updatedRegular software and security updates can help protect smartphones from malware and cyber threats.