Share
APK MALWARE / SMISHING

LPG gas KYC scam: the fake Indane, Bharat Gas and HP Gas e-KYC message that drains your bank

A WhatsApp message or SMS dressed as your gas agency warns that your LPG connection or subsidy will be stopped unless you finish an urgent e-KYC. The link opens a fake oil-company page that steals your bank and UPI details, or you are told to install a "gas KYC" APK that quietly takes over your phone and empties your account. Here is how to know it is fake in seconds, without tapping the link or installing anything.

SafeBrowz Threat Research Security ResearchJuly 4, 20269 min read

Verdict: an LPG "e-KYC" link or "gas KYC" APK sent over WhatsApp or SMS is a scam

A message that claims to be from Indane, Bharat Gas or HP Gas, says your gas connection or subsidy needs an urgent e-KYC or has a "pending" payment, and gives you a link or an APK file to install is a scam. The link opens a lookalike oil-company portal that harvests your bank account, UPI PIN and OTP. The APK installs a remote-access trojan that reads your incoming SMS, captures the OTPs your bank sends, and can operate your banking and UPI apps in real time until your account is empty. Real LPG e-KYC is free, it is done only inside the official gas-company apps or in person at your distributor, and no agency ever sends an APK or a KYC link over WhatsApp. Do not tap the link. Do not install the file. Complete e-KYC only in the official iocl.com, ebharatgas.com or myhpgas.in apps, or at your gas distributor.

The Brief

This scam is riding a real deadline. Gas companies pushed households to finish LPG e-KYC by mid-2026 or risk having the subsidy that arrives by Direct Benefit Transfer paused, and that genuine urgency is exactly what fraudsters are weaponising. Across Maharashtra, Punjab, Odisha, Karnataka and Uttarakhand, people have been getting messages that look like a notice from their own gas agency, warning that their connection will be suspended unless they re-do their KYC right now. Some send you to a counterfeit Indane, Bharat Gas or HP Gas page that asks for your bank and UPI details. The nastier version tells you to install a small "gas KYC" app, an APK file, that turns your phone into a tool the attacker controls. In Dombivli, Maharashtra, two women who installed such an APK and entered their details watched around four lakh rupees vanish from their accounts. The rule that beats every version of it is the same one that beats a fake RTO e-challan APK: never install an app or type your bank details from a link in a message, only from the official app you open yourself.

What the fake LPG KYC message looks like

The message arrives on WhatsApp or as an SMS and reads like a short, official notice. "Dear customer, your Indane gas connection will be blocked today. Complete your e-KYC to continue your LPG subsidy." Or "Your Bharat Gas KYC is pending. Update now to avoid disconnection." Some offer a bait instead of a threat, a "cheaper cylinder booking" or a "pending subsidy of Rs 300 waiting to be credited." There is always a link, or a phone number that later sends you one, and a deadline pushing you to act before you stop to think.

Tap the link and one of two things happens. In the first version you land on a page that copies the look of the real oil-company site, complete with the Indian Oil, Bharat Petroleum or HPCL logo, and asks you to "verify" your gas connection by entering your bank account number, your UPI ID and the PIN, or an OTP. Everything you type is captured. In the second, more dangerous version you are told to download and install an app to finish the KYC, a file with a name like IndaneGas-KYC.apk, LPG-KYC-Update.apk or GasKYC.apk. Because it does not come from the Play Store, your phone warns you about installing from an unknown source, and the message coaches you to allow it anyway.

Once installed, that APK is a remote-access trojan. It asks for permission to read your SMS and to run in the background, and the moment you grant it, it can see every text your bank sends, including the OTP for a transaction the attacker is starting on your account at that exact second. Some of these apps hide their icon so you forget they are even there. Investigators have described devices where the malware then quietly forwards the same "gas KYC" link and APK to the victim's own WhatsApp contacts, so the next person sees it arriving from a friend or family member and trusts it. That is how a single tap spreads across a whole address book.

The tell is the address. A real gas-company page only ever lives on the official oil-company domains. The links in these messages go nowhere near them. They point to lookalikes such as indane-kyc-update[.]top, bharatgas-ekyc-verify[.]shop or hpgas-subsidy[.]info (illustrative examples, not real gas-company domains). The brand name, "indane," "bharatgas" or "hpgas," is glued to "kyc," "ekyc," "subsidy" or "verify," and parked on a cheap ending like .top, .shop or .info that Indian Oil, BPCL or HPCL would never use. If the page asking for your bank details or offering an app is on anything other than the official domain, it is fake, no matter how right the logo looks.

๐Ÿ›ก LIVE CHECK

Check that "gas KYC" link before you tap it

Got a WhatsApp or SMS with an LPG e-KYC or gas-subsidy link and not sure about it? Paste the link below before you tap. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

How real LPG e-KYC and the subsidy actually work

LPG e-KYC is a real requirement, so the concept is not invented, which is what makes the scam land. But the genuine process behaves nothing like the message. It is free, and there are only two legitimate ways to do it. The first is inside your gas company's own official app: the IndianOil ONE app for Indane, HP Pay for HP Gas, and the Bharat Gas app for Bharat Gas. You log in with your registered mobile number and verify with an Aadhaar-linked OTP or a quick face scan. The second is in person at your gas distributorship, where staff complete it on a biometric scanner. That is it. There is no third app to sideload, and there is no web link that needs your bank account or UPI PIN.

The subsidy works the same honest way. Under the PAHAL (DBTL) scheme, you pay the market price for the cylinder and the government credits the subsidy straight to your Aadhaar-linked bank account by Direct Benefit Transfer. It is automatic. No link is ever needed to "release" it, and no one from the gas company will ask for your bank details to send it. Worth knowing: for most ordinary households the LPG subsidy has been close to zero for a few years, and the households that still receive a meaningful amount, around Rs 300 on each 14.2-kg cylinder, are Ujjwala (PMUY) beneficiaries. So a message promising a fat "pending subsidy" if you just verify your bank account is selling you something that, for most people, does not even exist. When in doubt, ignore the message entirely and check your own status by opening your gas company's official app (IndianOil ONE, HP Pay or Bharat Gas) yourself.

The 30-second check: only the official app or your distributor, never a link

This is the whole answer, and it works whether the message is a flawless fake or something you are genuinely unsure about, because it never trusts the message.

  1. Do not tap the link and do not install any file. Nothing real is lost by pausing. A genuine connection is not blocked because you ignored a WhatsApp.
  2. Never install an APK to do KYC. Real e-KYC happens inside the official app you download from the Play Store or App Store, never from a file sent over WhatsApp or a link. If a message tells you to allow "unknown sources" or "install anyway," that alone is the scam.
  3. Open the official app or site yourself. Use the IndianOil ONE, HP Pay or Bharat Gas app, or type iocl.com, ebharatgas.com or myhpgas.in into your browser. Do not use any link from the message.
  4. No one needs your bank account, UPI PIN or OTP for e-KYC. KYC verifies your identity with Aadhaar and your registered mobile number. A page asking for banking details "to complete KYC" or "to release your subsidy" is harvesting them.
  5. If you are still unsure, call your distributor directly using the number printed on your gas passbook or the official site, not a number from the message.

That is the same rule that beats the whole category of Indian smishing, from a fake electricity bill disconnection APK to a fake delivery text: judge it on the real, official app you open yourself, never on the message that reached out to you.

Red flags that mark the LPG message as a scam

  • A link or an APK to "complete KYC." The single clearest tell. Gas agencies never send a KYC link or an app file over WhatsApp or SMS. Real e-KYC is in the official app or at the distributor only.
  • A page or app on a non-official domain. A hyphenated "indane," "bharatgas" or "hpgas" address, or a page on .top, .shop, .info or similar, is fake even if the logo is perfect. Real pages live on the official oil-company domains only.
  • A deadline and a threat of disconnection. "Your connection will be blocked today." Urgency exists to stop you checking on the real app.
  • A request for bank, UPI or OTP details. e-KYC never needs your account number, UPI PIN or the OTP your bank sends. Any page asking for them is stealing them.
  • An install-from-unknown-sources prompt. If finishing "KYC" requires you to allow installs from unknown sources, that is malware, not a gas app.
  • A too-good subsidy or cheaper-cylinder offer. A "pending subsidy" or discounted booking that you only get by "verifying" your bank details is bait. The subsidy comes automatically by DBT, no verification link required.
  • A message forwarded by someone you know. Because a compromised phone re-sends the link and APK to its contacts, a familiar sender is not proof it is safe.

What to do if you installed the APK or entered your details

Move fast. With a remote-access trojan, an account can be drained within minutes, so speed is what limits the damage.

  1. Put the phone in airplane mode or turn off mobile data and Wi-Fi. This cuts the malware off from the attacker straight away and stops it reading the next OTP.
  2. Uninstall the app. Look for a recently installed app with a generic or gas-related name, or one whose icon is hidden, and remove it. If it resists uninstalling, boot the phone into safe mode and remove it there, or do a factory reset after backing up your photos and contacts. Revoke SMS and accessibility permissions from any app you do not recognise.
  3. Call your bank now and block your account and UPI. Use the number on the back of your card or your passbook. Report unauthorised access, freeze the account, and block your cards and UPI so no more transfers can go through.
  4. Change your banking and UPI PINs and passwords from a different, clean device if you can, not the infected phone.
  5. Call the cyber-fraud helpline 1930 immediately. The sooner you report, the better the chance the bank can freeze the money before it moves out. Then file a full complaint at cybercrime.gov.in.
  6. Warn your contacts. Because the malware may have forwarded the same link and APK from your WhatsApp, tell your contacts not to tap anything that appeared to come from you.

How to report the LPG KYC scam

  • Call 1930, the national cyber-fraud helpline, as your first step if any money has moved. It exists to freeze fraudulent transfers quickly.
  • File a complaint at cybercrime.gov.in, the National Cyber Crime Reporting Portal, with the message, the number it came from, and any transaction details.
  • Report the message inside WhatsApp, using Block and Report, so the number is flagged, and warn the family group it was forwarded to.
  • Tell your gas distributor, so they can alert other customers in your area that fake KYC messages are circulating in their name.
  • Report the fraud to your bank in writing as well as by phone, which starts the formal dispute for any unauthorised transaction.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Indian Oil, Bharat Petroleum and HPCL included) plus Cyrillic and Punycode homograph checks, all running inside the extension before the page renders. A "gas KYC" page wears the Indane, Bharat Gas or HP Gas brand but sits on a domain that is not the official oil-company address, and it pairs that brand with a bank-and-UPI harvest form, an APK download, and e-KYC-deadline urgency. Reading a page's brand against the domain it actually loads on is exactly how the engine separates the real oil-company site from an impostor, and it flags the impersonation before you can type a single digit.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam-TLD lists to flag domains already reported as malicious, which covers many "complete your LPG KYC" pages and the sites that host the malicious APK as they are reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new lookalike pages in seconds, including a fresh Indane or Bharat Gas KYC clone that copies the real styling but sits on the wrong domain and pushes an APK behind a disconnection deadline.

Honest scope: SafeBrowz flags and blocks the phishing KYC page in your browser before it loads, so the "enter your bank details" step never reaches you, and it flags the lookalike site an APK is downloaded from. It reads the page you are about to open, so it cannot inspect a file you sideload directly from a WhatsApp chat, and it cannot remove a trojan already installed on the phone. Pair it with one habit: do LPG e-KYC only in the official app or at your distributor, and never install an APK sent over a message.

Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

The message is the lure, but the theft happens on the page and in the app. That link is where victims are pushed to type a bank account and UPI PIN into a counterfeit gas-company portal, or to download the file that becomes a bank-draining trojan. Browser-layer scanning catches the moment before that. When an Indane, Bharat Gas or HP Gas branded page renders on a domain that is not the official oil-company address, a brand-aware scanner flags the impersonation before the form is usable. SafeBrowz is a free extension for Chrome, Firefox and Edge, plus a live Android app (Safari coming soon), that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the one rule that beats this whole category: do LPG e-KYC only in the official app you open yourself, and never from a link or an APK in a message. The same trap sits behind many Indian scams, from fake UPI payment requests on PhonePe, Google Pay and Paytm to fake online stores, and it always comes down to where you started.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every link check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

Is the LPG gas KYC message from Indane, Bharat Gas or HP Gas real?

Almost never, if it contains a link or an app to install. A message that says your gas connection or subsidy will be stopped unless you complete e-KYC through a link, or that tells you to install a "gas KYC" APK, is a scam. Real LPG e-KYC is free and is done only inside the official IndianOil ONE, HP Pay or Bharat Gas apps, or in person at your distributor. No gas agency sends an APK or a KYC link over WhatsApp or SMS, and none will ever ask for your bank account, UPI PIN or OTP.

How do I do LPG e-KYC safely?

Two ways, both free. Use your gas company's official app: IndianOil ONE for Indane, HP Pay for HP Gas, or the Bharat Gas app, downloaded from the Play Store or App Store, and log in with your registered mobile number to verify with an Aadhaar OTP or a face scan. Or visit your gas distributorship in person, where staff complete it on a biometric scanner. Never install an app sent over a message or enter bank details on a KYC web page.

What happens if I install the gas KYC APK?

The APK is a remote-access trojan. It requests permission to read your SMS and run in the background, and once granted, it can see the OTPs your bank sends and operate your banking and UPI apps in real time, draining your account without you seeing the transactions. Some versions hide their icon and forward the same scam link and APK to your WhatsApp contacts. If you installed it, cut off data and Wi-Fi immediately, uninstall the app or factory-reset the phone, call your bank to block your account and UPI, and report to 1930 and cybercrime.gov.in.

Does LPG e-KYC ever need my bank account or UPI PIN?

No. e-KYC verifies your identity using Aadhaar and your registered mobile number. It does not need your bank account number, UPI PIN, card details or the OTP your bank sends. The LPG subsidy is credited automatically to your Aadhaar-linked bank account by Direct Benefit Transfer under the PAHAL scheme, with no link and no verification of your bank details required. Any page or caller asking for these under the name of KYC or subsidy is committing fraud.

Is there really a pending LPG subsidy I need to claim?

For most ordinary households, no. The LPG subsidy has been close to zero for a few years, so a message promising a large "pending subsidy" if you verify your bank account is bait. The households that still get a meaningful subsidy, around Rs 300 on each 14.2-kg cylinder, are Ujjwala (PMUY) beneficiaries, and even that is credited automatically by Direct Benefit Transfer. No link is ever needed to release it. Check your own status only by opening your gas company's official app (IndianOil ONE, HP Pay or Bharat Gas) yourself.

Where do I report the LPG KYC scam in India?

Call the cyber-fraud helpline 1930 first if any money has moved, because a fast report gives the bank the best chance to freeze the transfer. Then file a complaint at cybercrime.gov.in, the National Cyber Crime Reporting Portal, with the message, the sender's number and any transaction details. Also report and block the number inside WhatsApp, tell your bank in writing, and let your gas distributor know so they can warn other customers.

Related SafeBrowz coverage

Bottom line: the LPG gas KYC message is a scam that steals your bank and UPI details or installs a trojan that empties your account. Real e-KYC is free and happens only in the official Indane, Bharat Gas or HP Gas apps or at your distributor, the subsidy is credited automatically by DBT with no link, and no agency ever sends an APK. Do not tap the link and never install a "gas KYC" file. Put SafeBrowz on your browser and phone so the fake KYC page never loads, and pair it with the habit of doing e-KYC only in the official app you open yourself.