The UPI Overlay Scam, also known as Malicious App Overlay Fraud, is a technically advanced cyber attack where fraudsters use fake Android apps to steal your UPI PIN and money without your knowledge.
How the Scam Works:
Victims are tricked into downloading what appears to be a legitimate app — often disguised as a utility bill payment tool, electricity recharge app, traffic challan payment, wedding invitation, or government service app. These malicious APKs are usually shared via WhatsApp links, SMS, or unofficial websites.
Once installed, the app runs silently in the background. When you open your real banking or UPI app to make a transaction, the malware instantly creates an invisible or fake overlay screen that looks identical to the original app interface. As you carefully enter your UPI PIN, the malicious app captures every digit in real time and sends it to the scammers. In some cases, the overlay redirects the entire transaction to the fraudster’s account while showing you a fake “Payment Successful” screen.
In January–March 2026, hundreds of users, particularly in Mumbai, Delhi, and other major cities, lost money through this method. Many victims only realized the fraud hours or days later when checking their bank balance.
Anonymous Real Story:
A 34-year-old software engineer from Mumbai downloaded what he thought was an official “Electricity Bill Payment” app promoted through a WhatsApp group for his housing society. The app looked professional and even showed his correct pending bill amount.
A few days later, while transferring ₹18,000 to a vendor using Google Pay, he entered his UPI PIN as usual. The screen looked completely normal. Within minutes, ₹45,000 was deducted from his account in three quick transactions. He had not scanned any QR code or approved any unusual request. The malware had overlaid a fake interface and captured his credentials. By the time he noticed, the money was already gone. He later discovered the “bill payment” app was the culprit.
This case is similar to dozens reported across Mumbai and Delhi in early 2026.
Why This Scam is So Dangerous:
- The fake overlay looks pixel-perfect (thanks to advanced tools)
- It works even on genuine apps downloaded from Play Store
- Victims often don’t suspect anything because the interface feels normal
- Many malicious apps request Accessibility permissions, giving them deep control over the phone
How to Protect Yourself:
- Never download apps from WhatsApp links, SMS, or third-party websites
- Download banking and UPI apps only from Google Play Store
- Be extremely cautious with apps asking for Accessibility Service permission
- Regularly check installed apps and remove suspicious ones
- Set a low daily UPI transaction limit
- Enable transaction SMS/email alerts and monitor your accounts daily
(Word count: 538)
Key Learning
Convenience can be costly. Never install any app that comes through unsolicited messages, no matter how urgent or useful it looks. Always verify the source. A few seconds of caution can save you from losing lakhs.
Source: Economic Times, Mint, CloudSEK reports, and RBI alerts (March 2026)
Fact checked with Grok