Surat cyber fraud: Two held from Ujjain for supplying account used in ₹24.40 lakh APK scam
Synopsis
Key Takeaways
The Surat Cyber Crime Cell on Tuesday, 7 July arrested two men from Ujjain, Madhya Pradesh, for allegedly procuring and supplying a bank account used to siphon ₹24.40 lakh from a Surat resident who had downloaded a counterfeit RTO e-challan APK file that gave fraudsters remote access to his mobile phone. The arrests mark a significant breakthrough in a case that unfolded over four months earlier this year.
How the Fraud Was Carried Out
According to police, the fraud occurred between 21 January and 25 May this year. The victim received a fraudulent digital file named 'E-Chalan.apk', disguised as an official RTO e-challan application. Once installed, the APK compromised the victim's handset, enabling the accused to covertly transfer ₹24.40 lakh across three separate bank accounts without the victim's knowledge or consent.
Investigators found that ₹7,63,415 passed through a UCO Bank account linked to an Ujjain-based account holder between 12 January and 31 May. A check on the National Cyber Crime Reporting Portal (NCCRP) further revealed two additional fraud complaints from Bihar involving the same account, with combined losses of ₹70,500.
Who Was Arrested and Their Role
The two accused have been identified as Ritik Bali, 26, a labourer from Badnagar, Ujjain district, and Tinku Parmar, 44, an unemployed resident of the same town. Police allege that Bali arranged for a fresh UCO Bank account to be opened, obtained the account kit, and handed it to Parmar in exchange for a commission of ₹4,000. Parmar allegedly collected the kit and passed it on to an absconding member of the fraud network, receiving ₹8,000 in return.
The actual account holder — a friend of Bali — was himself found to have been deceived, according to Deputy Commissioner of Police (Cyber Cell) Bishakha Jain. 'Technical analysis revealed that the money had been transferred to a UCO Bank account belonging to an account holder in Ujjain. A team went to Ujjain, where questioning the account holder revealed that he, too, had been deceived. The account holder is a friend of Ritik,' she said.
The Investigation Trail
The arrests were executed by a team led by Police Inspector M.C. Nayak, operating on directions from senior officials and combining technical surveillance with human intelligence. DCP Jain confirmed that both accused are in custody and have been produced before the court. 'They were associated with the main cyber fraud gang and obtained bank accounts from account holders on commission before supplying them to the principal accused,' she said. A primary suspect remains at large.
A case has been registered at Surat Cyber Crime Police Station under Sections 318(4), 336(2), 338, 336(3), 340(2), 61(2), 3(5) of the Bharatiya Nyaya Sanhita, 2023, and Sections 66(C) and 66(D) of the Information Technology (Amendment) Act, 2008.
Public Advisory
Police have urged citizens not to download APK files received from any source — known or unknown — that claim to be bank applications, customer support tools, KYC update utilities, invitation cards, or RTO e-challans, without independent verification. Such files, authorities warned, can be weaponised to compromise mobile devices and facilitate large-scale financial fraud. This incident is part of a broader national pattern of APK-based phishing attacks that have surged in recent years, targeting mobile users unfamiliar with sideloading risks.