Sri Lanka Police have issued a public warning over a new financial fraud being carried out through malicious “.apk” files circulated via WhatsApp and Telegram.
Police said the files are often disguised as wedding invitations, electricity bills or lottery notices. Once a user clicks the file, it installs harmful software on the mobile phone that allows attackers to control the device screen and read SMS messages, including confidential One Time Password (OTP) codes linked to bank accounts. Victims’ accounts are then drained remotely.
The force urged the public never to download or open suspicious “.apk” files, even when they appear to come from friends. “Always use Google Play Store or Apple App Store to obtain apps, and ensure the ‘Install Unknown Apps’ option in phone settings is disabled,” the statement said.
Anyone who suspects they have fallen victim was advised to suspend their bank accounts immediately and report the matter to the nearest police station or the Computer Crimes Division of the Criminal Investigation Department.
The warning is the latest in a run of cyber-fraud alerts this month. Police earlier flagged a phishing campaign impersonating SriLankan Airlines and a deepfake investment scam using former cricketer Kumar Sangakkara’s image. A separate fake-bank website fraud case led to an arrest in Minuwangoda this week, with the Computer Crimes Division reporting a sustained rise in social-engineering attacks targeting mobile banking customers.
