Skip to main content
Scam Alerts Critical

Fake e-Challan WhatsApp Scam 2026: Don't Tap That Link

The fake e-challan WhatsApp scam uses malicious APK files to install malware on Android phones, intercepting bank OTPs and draining UPI-linked accounts within minutes. Victims in India have lost amounts ranging from Rs 2.49 lakh to Rs 6 lakh in documented cases.
Founder & Tech Writer, GetInfoToYou Updated 7 min read Fact-checked: Sudarshan Babar Reviewed 27 May 2026
Fake e-challan WhatsApp scam warning showing APK malware download link on Android phone targeting Indian vehicle owners
📚

Educational Purpose: This article is published to help readers identify and protect themselves from online scams. We do not promote or endorse any fraudulent activity. If you have been a victim, call 1930 or report at cybercrime.gov.in.

Key Takeaways

  • The fake e-challan WhatsApp scam installs APK malware on Android phones that intercepts OTPs and drains UPI-linked bank accounts, often within minutes of installation.
  • Real traffic challans in India never arrive as APK download links over WhatsApp. Always verify challans directly at echallan.parivahan.gov.in by typing the URL yourself.
  • If you receive a suspicious challan message, never install the APK. If you already did, turn on airplane mode immediately, uninstall any unknown app, and call 1930.
  • Documented victims have lost between Rs 2.49 lakh and Rs 6 lakh in single incidents from this scam, according to reports by the Times of India and Economic Times.
  • Report to the National Cybercrime Helpline on 1930 and file a complaint at cybercrime.gov.in if you have been targeted.

If you own a vehicle in India, there's a good chance you've already received one: a WhatsApp message claiming your vehicle has an unpaid traffic challan worth ₹500 to ₹1,500, with a link to "view details" or "pay now." The fake e-challan WhatsApp scam is one of the most aggressively spreading cyber frauds in India right now, and it's specifically designed to look legitimate on your Android phone. A woman in Delhi reportedly lost ₹6 lakh after clicking one such link. A man in Delhi lost ₹2,49,246.61 over what he thought was a ₹500 traffic fine. Delhi Police has issued formal warnings. Cyber police across states from Tripura to Maharashtra have reported a major spike in cases. This scam works. That's the uncomfortable truth.

What the fake e-challan scam actually is

This isn't your typical "click the link and enter your bank details" phishing attack. Honestly, it's more sophisticated than that, which is partly why it's catching so many people off guard.

The scam uses an APK file, basically a direct Android app installation package, disguised as an official government app. When you tap the link in WhatsApp, it doesn't take you to any government website. It downloads and installs a malicious app on your Android phone. Once it's installed, that app quietly requests permissions to access your contacts, SMS messages, call logs, and UPI apps. Sometimes WhatsApp itself too.

Cybersecurity firm CYFIRMA published a technical report on this specific campaign, calling it APK-based financial and identity theft. The malware can intercept OTPs sent by your bank. That's really all the fraudsters need to drain your account, without you doing anything more than tapping one link.

The message looks shockingly real. It often includes your actual vehicle registration number, which attackers can find through public data sources or leaked databases (I'm not sure exactly how these databases get out, but it's clearly not hard for them to get hold of this). It has a challan number and a fake fine amount, with a payment deadline. Some messages even use the official logo of the Ministry of Road Transport and Highways or the e-challan portal. And it arrives on WhatsApp, which feels more personal and trustworthy than email for most people.

How this scam works, step by step

  1. You receive a WhatsApp message claiming your vehicle (for example, "DL 01 AB 1234") has an unpaid RTO challan.
  2. The message includes a link designed to look official, something like "echallan-parivahan-gov.in" or a direct APK download link, pointing to a fraudulent domain.
  3. Tapping the link either opens a fake payment website or directly starts downloading a malicious APK file to your phone.
  4. If you allow installation, which Android prompts you to confirm when installing from unknown sources, the malware installs silently or disguises itself as a challan payment app.
  5. The app then requests permissions: SMS access, contacts, phone calls, and in advanced versions, accessibility services that let it read and interact with every other app on your phone.
  6. The malware monitors your SMS inbox for OTPs. When you open PhonePe, Google Pay, Paytm, or your banking app, it can capture your credentials. Some variants also harvest saved passwords from browsers.
  7. In documented cases reported by the Times of India, attackers then took over the victim's WhatsApp using intercepted OTPs, messaged the victim's contacts to spread the scam further, and simultaneously initiated UPI transactions from the victim's bank accounts.

The whole process, from one tap to full account drain, can happen in minutes. That's how someone loses ₹2.5 lakh before they've even understood what just happened.

Warning signs that a challan message is fake

There are clear tells. You just have to know what to look for.

  • It arrived via WhatsApp or SMS from an unknown mobile number, not from a verified government sender ID. Legitimate traffic challan notifications in India come via SMS from sender IDs like EPVHCL or TRAOFF, not from random mobile numbers or foreign numbers starting with +92 or +1.
  • The link ends in .apk, or the URL mixes words like "download" with "parivahan" or "echallan." The real e-challan portal is echallan.parivahan.gov.in and only that.
  • The message creates urgency: "Pay within 24 hours or face legal action" or "Your driving license will be suspended." Government notices don't operate this way over WhatsApp.
  • You're being asked to install an app to pay the fine. The actual government e-challan system works through browser-based payment on the official website, or through apps like mParivahan available on the Play Store, not through an APK sent over a chat app.
  • The fine amount is suspiciously small, like ₹500 or ₹700. Small enough that you don't question it. Large enough to prompt immediate action.
Check before you click: You can verify any pending challan against your vehicle number directly at echallan.parivahan.gov.in. Type that URL yourself in your browser. Don't click a link from any message. Enter your vehicle registration number and you'll see everything. Takes two minutes and costs nothing.

How to protect yourself right now

Some of this is prevention. Some is damage control if you've already tapped something suspicious.

Never install APK files from links sent over WhatsApp or SMS. This is the single most important thing here. APKs from unknown sources bypass the Play Store's basic security scanning entirely, and there's no easy way for a non-technical person to check whether they're safe.

On your Android phone, go to Settings and look for "Install unknown apps" or "Unknown sources." Make sure no app has permission to install unknown apps, especially browsers and WhatsApp. This takes about 30 seconds and closes the most common attack vector in this scam.

Enable two-step verification on your WhatsApp (Settings > Account > Two-step verification). If attackers do intercept your OTP, they'll still need your six-digit PIN to take over your account.

If you've already tapped a suspicious link, here's what to do right now:

  • Turn on airplane mode to cut internet access immediately.
  • Don't open any banking or UPI apps on the affected phone until it's clean.
  • Go to Settings > Apps and look for any recently installed app you don't recognize. Uninstall it.
  • A factory reset is the safest option if you suspect malware is installed, especially if you granted the app accessibility permissions.
  • Call your bank immediately to freeze your accounts. For UPI-linked accounts, inform NPCI through your bank's customer care helpline.
  • Change passwords for your banking apps and email accounts on a different, clean device before using those services again.

Keep your Android updated too. Many of these malware variants exploit older security vulnerabilities that are already patched in recent Android versions. I know that's harder to do on older budget phones, and a lot of people in India are on devices that stopped getting security updates years ago. That's a real vulnerability, and these attackers are well aware of it. If your phone can update, update it.

You can also check our guide to scanning Android phones for suspicious apps or read our Android security checklist for Indian users for more detailed steps.

Where to report if you've been targeted

Report fast. For UPI fraud, speed is what matters most. The faster you report, the better the chance of blocking or reversing the transaction.

  • Call 1930, the National Cybercrime Helpline, immediately if money has left your account. It's a 24/7 helpline specifically for financial cyber fraud.
  • File a complaint at cybercrime.gov.in under the "Financial Frauds" section. Have your bank statement, screenshots of the WhatsApp message, and the APK filename ready before you start.
  • Visit your local cyber cell at the district police headquarters. A written complaint creates a paper trail that matters if money needs to be recovered through courts.
  • Report the malicious domain and APK to CERT-In at cert-in.org.in. They track active malware campaigns and can help get fraudulent domains flagged and taken down faster.
  • In WhatsApp: open the chat from the scam sender, tap the three dots, select "Report." This flags the number to WhatsApp's security team for investigation.

If you can, screenshot the original message before deleting it. Note the sender's number and the APK filename if you saw it (these small details matter more than you'd think once an investigation starts).

Look, if you or someone you know clicked a link like this and lost money, it's not about being careless or naive. These messages are well-crafted. They often include your actual vehicle registration number, which makes them feel personal and real. The fake challan scam is part of a broader wave of government-impersonation frauds in India that keep getting more technically sophisticated year after year. Share this with anyone in your family who drives a vehicle, especially parents and older relatives who may not question a message that mentions their car number by name.

And while you're at it, check your DigiLocker and Aadhaar login history for any unknown sessions if your phone was compromised. These scams sometimes go further than just bank accounts.

Frequently Asked Questions

Go directly to echallan.parivahan.gov.in in your browser, type the URL yourself without clicking any link, and enter your vehicle registration number. This is the only official government source for checking pending challans. You can also use the mParivahan app downloaded from the Google Play Store.
Turn on airplane mode immediately to cut internet access, then go to Settings > Apps to find and uninstall any unknown recently-installed app. Call your bank to freeze your accounts and file a complaint at cybercrime.gov.in or call 1930. A factory reset is the safest option if you granted the app accessibility permissions.
iPhones are much less vulnerable because iOS does not allow APK file installation at all. APK is an Android-only file format. However, iPhone users can still be targeted by fake website versions of the scam that ask for UPI credentials or OTPs directly in a browser.
Vehicle registration data can be accessed through certain public APIs, leaked government databases, or by scraping data from parking apps and toll records. The fact that a message contains your actual vehicle number is not proof that it came from the government or any legitimate source.
#Android malware #APK malware #cyber fraud India #e-challan scam #RTO fraud #whatsapp fraud
S
Sudarshan Babar
Founder & Tech Writer, GetInfoToYou
Sudarshan Babar is a technology writer focused on making AI, cybersecurity, and digital government services accessible to Indian readers. He covers UPI scams, Aadhaar security, and emerging tech tools…

Related Articles

Critical

Fake EPFO 3.0 UPI withdrawal scams: Protect your PF

Indian authorities warn against fake EPFO 3.0 UPI withdrawal scams. Fraudsters are using the new instant PF payout updates to trick subscribers into sharing UPI PINs and draining bank accounts. Learn how to secure your savings.

Sudarshan Babar 7 min read
High

Hexagon Nutrition IPO allotment scam: Beware fake links

Protect your savings from the Hexagon Nutrition IPO allotment scam. Fake KFintech portals and WhatsApp messages are targeting investors checking their status. Learn how to identify these links, check your status safely through official channels, and report fraud to the 1930 helpline.

Sudarshan Babar 9 min read