Fake RTO e-Challan APK scam in India: the traffic-fine banking trojan
A message lands on WhatsApp or SMS: you have a pending traffic challan, here is the app to view and pay it before the penalty doubles. It looks like an RTO notice. It is a scam. The file it asks you to install is not a challan app, it is an Android banking trojan that reads your SMS, steals the OTP your bank sends, and quietly drains your account through UPI. Here is how to recognize it in the seconds before you tap install.
Verdict: phishing scam
A WhatsApp or SMS message that says you have a pending RTO traffic challan and tells you to download an "e-Challan" app to view or pay it is a scam, not a notice from the transport department. The file you are asked to sideload, often named something like e-Challan.apk or RTO-Challan.apk, is an Android banking trojan. Security firm CYFIRMA documented how it uses a two-stage dropper, opens a custom VPN tunnel to hide its command-and-control traffic, and harvests your Aadhaar, PAN and SIM details. Once it has SMS and accessibility permissions it reads the one-time password your bank sends and runs UPI transfers on your behalf, emptying the account without you seeing a thing. Real traffic challans are never an APK on WhatsApp. The only official portal is echallan.parivahan.gov.in, and you pay there or on the official Parivahan app from the Play Store. A government department never sends you an .apk file. If you get one, do not tap the link and do not install anything. Report it at cybercrime.gov.in or call 1930, and flag the sender on the Chakshu service of the sancharsaathi.gov.in portal.
What the message actually says
The text barely changes from one campaign to the next, because it works on anyone who owns a vehicle. A typical version reads something like: "Your vehicle has a pending e-challan of Rs 500 for a traffic violation. Pay before the penalty doubles. Download the official e-Challan app to view photo proof and pay" followed by a WhatsApp forward or a short link. Some versions attach the APK file directly inside the chat. Others send a link that, when tapped, starts the download.
The amount is chosen carefully. Rs 500 or Rs 1,000 is plausible for a real fine, small enough that paying it feels easier than disputing it, and the "photo proof" line is the hook that makes you want to open the app and see what you supposedly did. The fine is not the goal. The app is. Once it is on your phone, the few hundred rupees becomes the whole balance of your bank account.
What is actually inside that APK
This is not a clumsy fake. Researchers at CYFIRMA pulled the malware apart and found a real, layered banking trojan dressed up as a challan app.
A two-stage dropper
The file you install first is a dropper. It looks harmless and asks for little, which is how it slips past your guard. Once running, it quietly pulls down and installs the second-stage payload, the actual trojan. Splitting the malware in two helps it survive a first glance and any basic check at install time.
A custom VPN tunnel to hide its traffic
The trojan opens its own VPN tunnel and routes its command-and-control traffic through it. That hides the conversation between your phone and the operator's server, so the data theft is harder to spot on the network and the connection back to the attacker is masked. Your phone is quietly talking to a stranger, and the tunnel keeps that conversation out of sight.
Harvesting your identity and intercepting your OTP
With permissions granted, the app harvests Aadhaar, PAN and SIM details and reads your SMS inbox. That SMS access is the heart of the scam: when your bank sends a one-time password to authorize a transfer, the trojan reads it. Combined with the accessibility permission, which lets it see your screen and tap buttons for you, the operator can start a UPI transfer, catch the OTP the bank sends, approve it, and move the money out, all silently. This is the same OTP-theft engine we break down in our fake bank app APK guide; the e-challan lure is just a new costume on it.
The one rule that beats it: real challans are never an APK
Here is the test that beats the panic every time. A real traffic challan in India is issued through the government e-challan system and lives at one place: echallan.parivahan.gov.in. You check it and pay it there, or on the official Parivahan app downloaded by you from the Google Play Store, or through your state transport department's verified channel. That is the whole list.
A government department never sends you an .apk file to install, and never delivers a challan as a WhatsApp forward with a "download the app" link. So the moment a "pending challan" arrives with an app to sideload, you already have your answer: it is a scam, and you do not need to read another word of it. Type echallan.parivahan.gov.in into your browser yourself and look up your vehicle number. If there is a real challan, you will see it there. If there is not, the message was a lie.
Check that "pay your challan" link before you tap it
Got a link in a traffic-challan message and not sure where it leads? Paste it below before you open it, before you install anything, and before you enter a single detail. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.
How big is this
The losses are real and recent. In June 2026 a single victim lost about Rs 34.75 lakh to a fake e-challan app, and a Dehradun resident lost about Rs 3.6 lakh in another case (reported by The420.in). Karnataka police have reported APK-based fraud rising about 190% over four months, with traffic-challan and similar app lures among the most common entry points. The pattern is the same in every case: a believable notice, an app to install, then a silent transfer.
It sits inside the broader 2026 India smishing wave that includes the fake electricity disconnection APK texts, the digital arrest calls, and UPI collect-request fraud. They all lean on the same two tools: a trusted-sounding sender and a moment of manufactured urgency.
Red flags of the RTO e-challan scam
- It tells you to download an app or open an .apk file. No real RTO or transport department sends you an app over WhatsApp or SMS. The official Parivahan app lives on the Play Store, found by you, not pushed to you by a link or attached to a chat.
- The link is not echallan.parivahan.gov.in. The only official challan portal is echallan.parivahan.gov.in. A shortened link, a lookalike domain, or a direct file download is the tell.
- It comes by WhatsApp or from a 10-digit number. Government challan notices are not delivered as WhatsApp forwards from a personal mobile number.
- It pressures you with a doubling penalty or a deadline. "Pay before the fine doubles tonight" is manufactured urgency designed to make you skip the check.
- It quotes a believable small fine. Rs 500 or Rs 1,000, large enough to seem real, small enough to pay without thinking.
- It asks you to enable "unknown sources" or grant SMS and accessibility permissions. Those requests are exactly how the trojan reads your OTPs and controls your phone.
- The "photo proof" is bait. The promise of seeing your violation photo inside the app is what makes you open it. The app is the payload.
What to do
- Do not tap, do not download, do not install. The message has no power until you act on it. Reading it costs you nothing. Installing the file is where the loss begins.
- Check your challan at the real portal yourself. Type echallan.parivahan.gov.in into your browser, or use the official Parivahan app from the Play Store, and look up your vehicle number. If a challan is real, it is there. If it is not there, the message was fake.
- Never install an APK from a message link or chat. Get apps only from the Google Play Store, and never enable "install from unknown sources" because a message or a caller told you to.
- Never grant SMS or accessibility permissions to an app you sideloaded. A genuine challan-payment flow never needs to read your texts or control your screen.
- If you already installed it, act now. Put the phone in airplane mode, uninstall the app, and from a different trusted device change your banking and UPI passwords and freeze or alert your bank. Then run a security scan or factory-reset the phone. Our what to do after a scam guide has the full sequence.
- If money already moved, call your bank's fraud line immediately and report within the golden hour, the sooner the better for any chance of a reversal.
How to report it in India
- Report financial fraud to the national cybercrime helpline. Call 1930 or file at cybercrime.gov.in. Reporting fast gives the best chance of freezing the money before it is withdrawn.
- Report the sender on Chakshu. Use the Chakshu service on the sancharsaathi.gov.in (Sanchar Saathi) portal to report the suspicious SMS, call or WhatsApp message so the number can be acted on.
- Forward the spam to your operator. Report unsolicited messages to your mobile operator so the sender is flagged.
- Verify only at the official portal. For any genuine challan question, use echallan.parivahan.gov.in or your state transport department's verified site, never the link in the text.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.
- Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Indian government and banking brands included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches lookalike "pay your challan" domains and flags the kind of link that fronts a malicious APK download.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag domains already reported as malicious, which covers fake challan-payment and APK-hosting pages as they get reported.
- Layer 3 - AI deep scan (Premium): 100+ language content analysis catches a brand-new fake e-challan page in seconds, including a fresh lookalike that copies the Parivahan look and pushes an app download or a "pay immediately" flow.
Honest scope: SafeBrowz checks the link in the message, so a fake challan-payment page or an APK-hosting page is flagged before it loads on your screen. What it cannot do is read your SMS inbox, scan an APK already installed, or stop a permission you grant by hand, so the human rules still matter most: a "challan" that arrives as an app to install is a scam, and the only real portal is echallan.parivahan.gov.in. SafeBrowz catches the link, you catch the message.
Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Where browser and link-layer defense fits
The dangerous moment in this scam is the tap on the link, the second before an APK starts downloading or a fake payment page asks for your card. Link-layer scanning catches that step. When a "pay your e-challan" link points to a lookalike domain or an APK file instead of the real Parivahan portal, a brand-aware scanner flags it before it opens. SafeBrowz is a free extension for Chrome, Firefox and Edge, with a SafeBrowz Android app and Safari coming soon, that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and optional AI deep scan. Learn how to tell if a website is a scam, see how phone and text scams work, install SafeBrowz, and pair it with the one rule that beats this whole category: a challan that arrives as an app to install is a scam, and you check and pay only at echallan.parivahan.gov.in or the official Parivahan app.
Install SafeBrowz free
Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
I got a WhatsApp saying I have a pending traffic challan and to download an app. Is it real?
No. A real traffic challan is never delivered as a WhatsApp forward or an app to install. The only official portal is echallan.parivahan.gov.in, and you check and pay there or on the official Parivahan app from the Google Play Store. The app the message tells you to download is a banking trojan that reads your SMS, steals your bank OTP and drains your account. Do not tap the link or install anything. Type echallan.parivahan.gov.in yourself and look up your vehicle number.
What does the fake e-Challan APK actually do?
Security firm CYFIRMA found it is a two-stage banking trojan. The first file is a dropper that quietly installs the real payload. It opens a custom VPN tunnel to hide its command-and-control traffic, harvests your Aadhaar, PAN and SIM details, and asks for SMS and accessibility permissions. With SMS access it reads the one-time password your bank sends; with accessibility access it can see your screen and tap buttons for you. Together that lets the operator start a UPI transfer, read the OTP, approve it and empty your account silently.
How do I check if I actually have a traffic challan?
Go to the official government portal at echallan.parivahan.gov.in, typed into your browser yourself, and look up your vehicle registration number, or use the official Parivahan app downloaded from the Google Play Store. If a challan is real, it appears there. Never check or pay through a link in a message, an attached APK, or a WhatsApp forward. A government department never sends you an .apk file.
I already installed the e-Challan app. What do I do?
Act fast. Put the phone in airplane mode to cut its connection, then uninstall the app. From a different trusted device, change your banking and UPI passwords and call your bank to freeze or alert your account. Run a security scan or factory-reset the phone to be safe. If money already moved, call your bank's fraud line and the national cybercrime helpline on 1930 immediately, ideally within the golden hour, for the best chance of a reversal.
Where do I report a fake e-challan scam in India?
Report financial fraud to the national cybercrime helpline by calling 1930 or filing at cybercrime.gov.in, and do it fast for the best chance of freezing the money. Report the suspicious sender through the Chakshu service on the Sanchar Saathi portal (sancharsaathi.gov.in), and forward the spam message to your mobile operator. For any genuine challan question, use only echallan.parivahan.gov.in.
Related reading
- Electricity disconnection text scam: the fake bill APK
- Fake bank app and malicious APK scams: how they steal OTPs
- UPI, Paytm, PhonePe and Google Pay scams in India 2026
- Digital arrest scam: fake police and court calls
- DMV traffic-ticket text scam (the US cousin of this fraud)
- SIM swap fraud: how attackers hijack your number
- How phone and text scams actually work
- How to tell if a website is a scam
- I got scammed: what to do in 2026
Bottom line: A WhatsApp or SMS that says you have a pending traffic challan and tells you to download an app to view or pay it is a scam, not an RTO notice. The e-Challan.apk it pushes is a banking trojan that reads your OTPs and drains your bank through UPI. Never tap, download or install. Check your real challan only at echallan.parivahan.gov.in or the official Parivahan app, report a scam at cybercrime.gov.in or 1930, and keep SafeBrowz on your browser so a fake challan-payment or APK link is flagged before it ever opens.