8th-grade dropout built malware, sold 50+ files to cyber fraudsters on Telegram for Rs 4,000 each
Investigation reveals 25-year-old developer sold apps that bypass anti-virus software to criminals across states.
Abhay Sahni (25) was arrested by the Delhi Police during a raid in Uttar Pradesh’s Deoria on May 14. (Source: Express Photo)
Imagine getting a call saying your electricity connection will be cut within hours unless you make an immediate payment. Then comes a WhatsApp message with a “Customer Support APK (Android Package Kit)” meant to solve the issue.
You install it, hoping to avoid inconvenience — unaware that the app may have just handed strangers complete access to your phone, messages, OTPs and bank account.
That’s the scam Delhi Police said led them to a 25-year-old alleged malware developer operating Telegram channels under the name ‘Jamtara Official Developer’ — solving a cyber fraud case.
On May 14, a police team conducted a raid in Uttar Pradesh’s Deoria looking for the suspect, Abhay Sahni, who allegedly sold malicious APKs to cyber fraudsters — only to find him casually eating ice cream with his friends near his house.
During questioning, police were stunned to find that Sahni had only studied till Class 8 but knew how to develop and modify malicious APKs — which he learnt through YouTube — and sold to cyber fraudsters across states for around Rs 4,000 per APK.
Sahni was arrested in connection with a cheating case registered on July 29, 2025, at the Cyber Police Station in Central District. Police said Sahini lives with his wife and two-year-old child; he had told his family he was in the business of selling mobile phones.
The fraud
According to police officers, the case was registered after a complainant reported that Rs 1,20,999 had been fraudulently transferred from his bank account through unauthorised digital transactions.
Deputy Commissioner of Police (Central) Rohit Rajbir Singh said the victim had received a call from an unknown person posing as an electricity department official, who claimed his electricity meter would be disconnected unless an immediate payment was made.
The fraudster allegedly sent a malicious application named ‘Customer Support APK’ via WhatsApp and convinced the complainant to install it. Soon after installation, police said, the accused gained remote access to the victim’s mobile phone and carried out multiple fraudulent transactions.
The investigation
DCP Singh said after the case was lodged, a Special Investigation Team was formed under the guidance of ACP (Operations) Padam Singh Rana and supervised by SHO, Cyber Central, Inspector Yograj Dalal.
The team, led by Sub-Inspector Ranvijay Singh along with Head Constables Sandeep and Paramveer, carried out an extensive technical investigation into the backend architecture of the malicious APK.
Police said the application was a ‘FUD’, a Fully Undetected malicious APK designed to bypass anti-virus and mobile security systems, enabling cyber criminals to remotely access victims’ devices.
An APK is the file format (.apk) Android uses to install apps, especially those downloaded outside official app stores. Cyber fraudsters often disguise malicious APKs as bank updates, traffic challan notices, electricity or gas bill payment apps, pension schemes, or government documents — and send them to victims through SMS links or messaging platforms (see box).
Police said their probe in the current case led them to a man who allegedly procured and used malicious APKs in cyber fraud cases. On December 5, last year, they arrested Umesh Kumar Rajak, a 25-year-old resident of Gorakhpur, Uttar Pradesh.
Following a Telegram trail
Further technical surveillance and digital analysis led investigators to Telegram IDs — “@rahul_kumar717” and “Jamtara_official_Developer” — from where the APKs were allegedly being supplied. Police identified the administrator as Sahani and arrested him earlier this month.
During questioning, police said Sahani allegedly admitted to operating Telegram channels under the name “Jamtara_official_Developer” and selling malicious files.
Police said the accused learnt cyber fraud techniques, APK development, remote-access exploitation, and anti-detection methods through YouTube videos, Telegram groups, and social media platforms.
Police said he had sold nearly 40-50 malicious APKs and admitted to his involvement in cheating around 20-25 victims through similar scams.
During the raid, police recovered 11 mobile phones, including five iPhones, three Google Pixel devices, and three Android phones, along with 11 debit cards, eight SIM cards, and a Ledger Nano S Plus crypto hardware wallet. A car purchased in the name of Sahni’s brother was also seized and is currently under verification.
Police said further investigation is underway to trace the wider network, financial transactions, and links with organised cyber fraud syndicates operating across the country.
BOX: Here’s how the fraud typically works, step by step:
The bait: The victim receives a message claiming urgent action is needed — for example, to pay a traffic fine, update a bank account, or download a bill payment app.
The download link: The message contains a link to download an APK file directly onto the phone, bypassing official app stores.
Permission requests: Once opened, the app asks for permissions such as accessibility access, SMS access, notification access, or screen-sharing permissions. The requests are often presented as necessary for the app to function.
Device access: After permissions are granted, the malicious app can begin monitoring activity on the phone. Depending on its capabilities, it may read SMS messages and OTPs, capture keystrokes, track banking activity, intercept notifications, or remotely control parts of the device.
Fraud execution: Using the stolen information, cybercriminals can access bank accounts, authorise transactions, take over accounts, or carry out financial fraud without the victim immediately realising it.
Share
