Your Challan Could Be a Trap

A few days ago, my brother received a text message about a traffic challan. He immediately forwarded a screenshot of it to me and we both started laughing. Here is the message:

Dear Vehicle Owner

A traffic violation has been rec. Please be aware that this action has been documented and is subject to further proceedings.

Reference/Ticket No:
VA8641SDGV486DFV486DF

View details and resolve it via our app or website to avoid legal action. For More information contact us. tinyurl.com/ViewChallan-B4F7
Anand Trading Company

Fellow Indians had already lost ₹20,000 crore to cybercrime in the first two months of 2025.¹ But what has this got to do with the message we got?

At Millennierd, we break down scams to help you protect yourself. By the end of this article, you would know how to spot such scams from a mile away. Like I said in a previous article, the criminals are always a step ahead of people like you and me. While nobody is fully immune to scams, at least you will protect yourself from the most obvious ones such as this.

As if getting a traffic challan itself was not distressful enough, imagine losing tens of thousands of rupees of your hard-earned money.

What was the scam

Now to how we knew in a second that this was a scam, and how easy spotting this was.

The sender

The usual giveaway in such cases is from whom the message came. If you receive traffic challan messages from a number, be suspicious. Your traffic challan messages should ideally come from Parivahan (the service run by the Ministry of Road Transport and Highways—MoRTH). You should see VAHAN in the sender name, prefixed with a couple of letters.

This message, though, had come from AX-ANNDTC, and as you can see, the end of the message says, ‘Anand Trading Company’. This is an easy giveaway. Of course, the scammer may have realized this and would change it to MoRTH or something in the next iteration.

What was interesting was that the message came from a registered SMS sender, ANNDTC. Perhaps the scammer hacked the company’s SMS handle?

The URL

While the use of TinyURL, Bit.ly, and such URL shorteners is a norm for SMS, the context here surprised me. Thousands of challans get generated in a day across the country. Would the Ministry bother adding the challan number to the URL suffix? And why is the challan number just four characters long? BF47 doesn’t even appear anywhere on the full challan number.

Details are an easy giveaway as well. Always check the numbers. Does the challan number match the URL? Does the challan number look like a challan number from your RTO? Do not skip reading the number just because it is a bunch of arbitrary characters. The challan number can tell you a lot.

Also, always expand URLs with a URL expander. (I used https://urlexpander.me/.)

TinyURL and such services work by using redirects. These redirects take you from one domain (think: site) to another. But because you don’t know to which URL this short URL is going to take you, you should be careful when you receive these shortened URLs. Usually, services that care about their brand would use branded URL shorteners, such as we at Millennierd use mlnrd.in. Similarly, Amazon uses amzn.to, HDFC Bank uses hdfcbk.io, and so on.

When I expanded the URL using the URL expander, it gave me the link: https://raw.githubusercontent.com/amar0282/Hjjhh/refs/heads/main/Google%20service-1.apk. Without getting too much into the details, this is a GitHub URL, typically used to refer to specific files in a code repository. The end of this URL is important: it refers to an APK file.

An APK file is an Android app package file. This file can be opened within Android, and your phone will ask you if you would like to install this app. If you say yes, the app will be installed.

What is an APK

Knowing how apps are made will help you answer this question, and tell you why I find this message highly suspicious.

Developers (or devs) make apps using code. Code is like a recipe—a set of instructions. The devs write the code and run it through a compiler. A compiler is like an oven. The development environment is like a kitchen. The compiler is part of the development environment. When the code is run through the compiler, in the presence of libraries (ingredients), the compiler would create a binary (cake).

This binary is the app.

An APK file is a form of binary; a binary that Android works with.

Should you install an APK

You should not install an APK directly, but only through the Play Store. This is the safest option for most people.

Unless you are an advanced Android user, never download APK files to install them on your phone. Installing APK files directly instead of going through the Play Store is called ‘sideloading’. Sideloading opens doors to several undesirable situations, including APK fraud; you should never sideload apps unless you absolutely certainly know what you are doing, and you know and trust the makers of the APK.

Android app developers must go through the Play Store verification process to make their app (APK) available on the Android Play Store. The Android Store approval process, though not foolproof, has a few steps that deter most malicious app developers from making their apps available through the Play Store. Sideloading has no such restriction.

And Android tries to protect you from this situation, which is why, app sideloading is disabled by default. Since enabling sideloading is not exactly difficult, people fall prey to APK scams. No matter what, unless you are tech-savvy and can verify Android code, never sideload apps on your phone.

Also, always download known, trusted apps from trusted developers, even from the Play Store. Just because an app is on the Play Store, it doesn’t mean it is safe.

The role of Google

The Android operating system and Google Play Store work in tandem to improve security on your device. Google runs a set of security checks on the submitted apps, including malware scanning and policy enforcement. Since sideloaded apps don’t go through this process, the chances of there being malicious code is much higher than the apps vetted by Google.

Android has permission policies, meaning, the Android operating system controls how apps ask for permissions and what the apps are allowed to do. The Play Store enforces these policies. Google also actively monitors these apps on the Play Store, scanning them for malware periodically, even after the apps are initially approved. This is to make sure the developer did not add any malicious code after the approval.

Google Play Protect also keeps scanning the apps on the phone, based on the known malware signatures in its database. Newer or more sophisticated attacks may not get detected by Play Protect.

Like the Swiss Cheese Model, apps should first get scanned at the Play Store level, and then, also locally on the phone. Google’s review process is therefore a significant step in enforcing policies and improving security. If an app bypassed this, you only have Google Play Protect partially protecting you.

Secondly, if you gave permissions without seeing what permissions the app asked for, you opened up a lot more of your data to the app than necessary. Now, the app, for example, can read your messages (and therefore your OTP, your bank balance and so on), and access your contacts, use Accessibility features to read your screen and so on.

Phishing

Phishing is the act of stealing information by pretending to be something legitimate. For example, you receive an email saying your Instagram password is compromised, and that to regain access, you must use the link in the email, and key in your username and password to unlock your account.

You open the link, it shows the familiar Instagram page. You enter your username and password. The page changes to say you have successfully unlocked your account. But in reality, it was a different site made to look like Instagram, which sent your Instagram username and password to a database. Turns out, you had never lost access to your Instagram account! The scammer tricked you into entering your credentials, which s/he can now use to access your Instagram account.

Installing a malicious APK is like web-page-based phishing on steroids because browsers can prevent most websites from accessing sensitive information, but an app, once installed, can access a lot more information than a website can, if it manages to bypass the Android guardrails (which a sideloaded app could).

If it manages to gain access to your phone’s accessibility features on the pretext of some feature supposed to improve your experience, it can read your screen, record keystrokes, access the camera and other such hardware and so on. This can lead to stolen credentials (including your banking credentials), identity theft and unauthorized access to other personal data.

And think about this: You have enabled two-step verification by following a guide in a previous article on Millennierd. You feel safe because of the added layer of security, but some services only offer second factor authentication via SMS. Now this APK has gained access to your SMS, greatly compromising your security.

What if the challan was legitimate

In case of a legitimate challan:

1. You would get the message from the Ministry of Road Transport and Highways (MoRTH). The sender name would be either MoRTH or VAHAN.
2. The link would be a Parivahan link (the link would always begin with https://parivahan.gov.in).
3. Your vehicle number would be mentioned in the message.
4. You will not have to download an app to pay the fine.

The message we received met none of these criteria. Clearly, this was the traffic challan scam.

When you receive a message like this, no matter how convenient tapping on the link and going to the “site or app” is, always log in to the Parivahan portal or use the official NextGen mParivahan app (here are the official links for iOS and Android) by the National Informatics Centre (NIC) to check for challans and pay the fine. Remember that the government agencies will never give you a mere few hours’ notice to pay fines. You will always have a few days (or weeks) to pay the fine. Do not fall for the urgency the scammers show in their messages.

Can I never trust links

Unfortunately, you cannot trust any links unless you have the habit of seeing the final URL of the page on your browser’s address bar and recognizing domains. Even the tech-savvy fall for these scams, and that should tell you something.

If a link is downloading something on your phone/computer without your active choice to download something, be suspicious. And have double the suspicion if the download is a binary, like an APK or an EXE.

Sense of urgency

Most scammers show a sense of urgency: ‘one hour left’, ‘last day’ and so on. This kind of wording instantly makes you panic. It shuts off your logical reasoning because you intrinsically feel that every second is precious. You skip reasoning and jump straight to the suggested conclusion.

Whenever you see that sense of urgency (including seeing ‘1 item in stock’ on shopping websites), pause. Take a step back and evaluate the situation. And then take an action.

Should you get antivirus software

Most modern operating systems come with security features baked in. The most popular operating systems (such as Windows, Android, iOS and macOS) have tools built into them to protect you from malicious software. Some operating systems like Linux are even designed with user security in mind.

However, keeping the operating system updated (especially installing all the latest security updates) is critical to protecting yourself from most threats arising from malicious software.

Getting your apps from trusted sources is also critical. Paying ₹199 for a reputed paid software is much better than losing your entire life’s savings to a “free” (but malicious) app.

Commercial antivirus software do exist, but they are not necessary given the safeguards the operating systems have, provided you practice general hygiene with your apps and data. (I used a Windows laptop with only the default Windows Defender for a decade and that worked perfectly fine—of course, given Windows’ bad rep for security, I switched to Linux and haven’t looked back.) If you would like to be extra careful, feel free to get yourself an anti-malware, but go for a reputed one because an anti-malware has access to the depths of the operating system because of its nature, and getting the wrong one could prove worse than a phishing attack. Also, in my opinion, getting an anti-malware leads one to become complacent, which makes me not suggest anti-malware to people.

And that’s it

The goal of Millennierd is to keep you informed and educated. Knowing about these online scams helps you remain prepared for when you get such a message.

Share this article among your colleagues, friends and family. You might help protect someone’s hard-earned money, reputation and mental health.

Have you faced such an incident? Post @millennierd on X, Instagram or Facebook, or if you are reading this on Medium, drop a comment below. I would like to know how you identified and thwarted a phishing attack.

Meanwhile, remember:

1. Do not trust messages blindly.
2. Do not fall for the urgency in these messages.
3. Never click unbranded/unknown shortened links. Always expand shortened links using a URL expander.
4. Never download or install an APK.
5. Always pay the fines on the official government websites or use official government apps.
6. Keep the operating system on all your devices up to date.

• Tags:
• Fraud
• Scam
• India
• Security
• Finance