Imagine this: you’re scrolling through WhatsApp, and a message pops up from an unknown number with a photo of a smiling elderly man and a question, “Do you know this person?” It seems harmless, so you download the image to take a closer look. Minutes later, your bank account is lighter by ₹2 lakh*. This isn’t a far-fetched story—it happened to a 28-year-old man in Jabalpur, Madhya Pradesh, and similar incidents are becoming alarmingly common across India. WhatsApp, the app we all rely on for daily chats, is now a playground for cybercriminals using sneaky techniques like steganography and malicious APKs to turn innocent-looking files into digital traps. Let’s unpack the risks, understand how these scams work, and learn how to protect ourselves.
The Growing Danger of WhatsApp Media Downloads
WhatsApp is a lifeline for millions in India—whether it’s sharing memes, family photos, or work documents. With over a third of the world’s population using the app, it’s no surprise that cybercriminals see it as a goldmine. The latest threat? Malware hidden in seemingly harmless files like images, PDFs, videos, or even audio clips. These files, often sent by unknown numbers or even compromised accounts of people you know, can silently install spyware, keyloggers, or Remote Access Trojans (RATs) on your device. Once activated, these malicious programs can steal your banking details, intercept OTPs, or even give hackers full control of your phone.
A chilling example comes from Jabalpur, where a WhatsApp user lost ₹2.01 lakh after downloading an image sent via WhatsApp. The scammers didn’t stop at sending the file—they followed up with repeated calls to pressure him into opening it. By the time he realized something was wrong, his bank account had been drained through an unauthorized ATM withdrawal in Hyderabad. Shockingly, the scammers even mimicked his voice to bypass bank verification.
How Do These Scams Work? The Role of Steganography
The secret weapon behind these attacks is a technique called steganography, a fancy word with Greek roots meaning “hidden writing.” Unlike traditional phishing scams that rely on suspicious links or fake login pages, steganography hides malicious code inside everyday files like .jpg, .png, .mp3, or .mp4 files. These files look perfectly normal to the naked eye, and even advanced antivirus software often fails to flag them.
Here’s how it works: an image, for example, is made up of tiny data units that define its colors—red, green, and blue. Cybercriminals use a method called Least Significant Bit (LSB) steganography to tuck malicious code into the least significant parts of these units, like the alpha channel. When you download and open the file, the hidden code springs to life, silently installing malware that can:
Steal sensitive data like bank login credentials, OTPs, and passwords.
Grant remote access to hackers, letting them control your device.
Monitor your activity with spyware or keyloggers.
What makes this so dangerous is that you don’t need to click a link or enter any details—just viewing the image can be enough to compromise your device. And because these files often come from trusted contacts whose accounts have been hacked, it’s easy to let your guard down.
APK Scams: Another Layer of Risk
Beyond steganography, cybercriminals are also spreading malware through APK files disguised as legitimate apps or documents. These files, often sent via WhatsApp, trick users into installing them by posing as something enticing—like a “wedding invitation” or a fake app from a trusted source like a bank or government agency. Once installed, these APKs can steal OTPs, banking credentials, or even turn your phone into a tool for spreading malware to your contacts.
A recent campaign reported in June 2025 targeted Indian Android users with a fake “wedding invitation” APK that installed SpyMax RAT, a type of malware that gives hackers full control of your device. These scams exploit trust and urgency, pressuring users to act quickly without checking the file’s authenticity.
Why India Is a Hotspot for These Scams
India’s massive WhatsApp user base and growing reliance on digital payments make it a prime target for cybercriminals. Reports of steganography-based scams have surfaced across the country, from Jabalpur to Hyderabad, with victims losing lakhs in minutes. The rise of UPI transactions and mobile banking has made it easier for hackers to siphon money directly from victims’ accounts. Add to that the fact that many users, especially the elderly or less tech-savvy, may not recognize the signs of a scam, and you’ve got a perfect storm.
What’s more, WhatsApp’s delay in addressing vulnerabilities doesn’t help. For instance, a security flaw in version 2.2450.6* allowed attackers to exploit unverified file types, and Meta’s reliance on manual app updates left users vulnerable for longer than necessary.
How to Protect Yourself: Practical Tips
The good news? You can significantly reduce your risk by taking a few simple steps. Here’s how to stay safe:
Disable Auto-Download in WhatsApp: Go to Settings > Storage and Data > Media Auto-Download and turn off automatic downloads for photos, videos, and documents under all network conditions (Wi-Fi, mobile data, and roaming). This ensures files don’t sneak onto your device without your consent.
Don’t Trust Unknown Numbers: If you get a message with an image, video, or APK from an unknown number, delete it immediately without opening it. Even if it’s from a known contact but seems fishy, double-check with them before downloading.
Use Reliable Antivirus Software: Install a trusted antivirus app and keep it updated. While most consumer-grade antivirus tools struggle with steganography, they can still catch some threats. For better protection, look for apps with behavioral analysis or forensic tools.
Update Your Apps and Device: Regularly update WhatsApp and your phone’s operating system to patch security vulnerabilities. Meta has fixed some issues, but you need to manually update to stay protected.
Avoid Suspicious APKs: Only download apps from trusted sources like the Google Play Store or Apple App Store. Never install APKs sent via WhatsApp, no matter how legitimate they seem.
Report and Block: If you spot a suspicious message or number, report it to WhatsApp and block the sender. You can also file a complaint on India’s Cybercrime portal at cybercrime.gov.in or call 1930 for immediate help with financial fraud.
Spread Awareness: Share this knowledge with friends and family, especially those who may not be tech-savvy. The more people know, the harder it is for scammers to succeed.
The Bigger Picture: Staying Vigilant in a Digital World
These WhatsApp scams are a stark reminder that as technology evolves, so do the tricks cybercriminals use. Steganography and APK-based attacks are just the latest in a long line of threats, from phishing links to fake apps. What makes them so effective is how they exploit our trust—whether it’s a familiar contact or an innocent-looking photo.
The Jabalpur case and others like it show how quickly these scams can turn your life upside down. But by staying cautious, keeping your settings secure, and educating those around you, you can stay one step ahead of the hackers. Next time you get a random image or file on WhatsApp, pause and think: is it worth the risk? A single click could cost you your privacy, your money, or both.
My WhatsApp Journey:
WhatsApp scams, APKs, spyware, malware and so on, none of these are new tricks. I've personally seen thousands of such incidents over the past few years during my research, where the effected users are not only random normal user, include the CSE students and corporate employees and so on. It's just that not every case gets reported, and definitely not every incident makes it to the news. So, in that sense, there's really nothing surprising about any of this.
In fact, I haven't used WhatsApp personally for a long time. I stopped using my personal account back in 2018, right after my initial preliminary research on the app. And as for my WhatsApp Business account, I discontinued that in October 2023, after five years of in-depth research into WhatsApp.
In the ever-evolving landscape of digital threats, a static approach to security is an open invitation to risk. It's becoming increasingly clear that relying solely on past prevention steps, no matter how robust they once seemed, is no longer sufficient or final. The rapid innovation in cybercrime means that what was considered cutting-edge protection yesterday can be obsolete today. Therefore, continuous learning and staying updated with the very latest information, emerging threats, and adaptive prevention strategies is not just advisable, but absolutely essential for everyone navigating the digital world. Only through constant vigilance and a commitment to ongoing education can individuals and organizations hope to outmaneuver the sophisticated tactics of cyber adversaries.
In the rapidly accelerating world of digital threats, a static approach to security is no longer a viable option. What was once considered robust protection can quickly become outdated in the face of constantly evolving cybercrime. The sophistication of attacks, from AI-powered malware and advanced social engineering to new forms of steganography, demands a dynamic defense. Therefore, for every individual and organization, continuous learning and staying updated with the latest information, emerging threats, and adaptive prevention strategies isn't just advisable—it's an absolute imperative. Relying solely on past prevention steps, no matter how effective they were at the time, is an insufficient and ultimately unsustainable approach to safeguarding our digital lives. Only through unwavering vigilance and a commitment to ongoing education can we hope to navigate and survive the complex digital landscape.
Let’s make digital safety a habit. Stay safe, and think before you click!