SBI Warns: Scammers Target YONO App Deactivation Sending Fake

A new social engineering campaign is targeting millions of State Bank of India customers nationwide. Scammers are disseminating fraudulent messages, warning that the YONO banking app will be deactivated unless users promptly update their Aadhaar number.

The scam has been circulating through SMS, WhatsApp, and unsolicited emails, creating a false sense of urgency to trick unsuspecting users into taking dangerous action.

The attackers rely on fear and urgency to push victims into clicking malicious links or downloading unauthorized APK files.

These APK files, once installed, can give attackers full control over a victim’s device, allowing them to harvest banking credentials, OTPs, and personal information without the user even knowing.

The method is simple but highly effective, especially against users who are not familiar with how official banking apps are distributed.

Security analysts at the State Bank of India identified and publicly flagged this campaign in an official fraud alert, warning that these messages are entirely fake and must not be acted upon.

SBI said in a report shared with Cyber Security News (CSN) that the bank never asks customers to update their Aadhaar details through APK files or unofficial links. The alert reached nearly one million people within hours of being posted on the bank’s official social media channels.

The campaign is part of a broader rise in mobile-based phishing attacks, commonly known as smishing, that have surged across India in recent years.

Cybercriminals have grown increasingly sophisticated in mimicking legitimate banking communications, making it harder for everyday users to tell the difference between a real alert and a fraudulent one.

The use of Aadhaar as a lure is particularly calculated, since linking Aadhaar to bank accounts is a well-known regulatory requirement that many customers are still completing.

India’s Press Information Bureau fact-checking unit, PIB Fact Check, also stepped in to formally debunk the claims circulating in these fake messages, calling them deliberate fraud attempts designed to steal personal and financial information.

SBI Warns of Scammers are Sending Fake Messages Claiming Your YONO App

The scam message typically arrives as an SMS or WhatsApp text, using language that sounds official and urgent.

It tells the recipient that their YONO app will be blocked or deactivated within a short timeframe unless they update their Aadhaar information.

The message then provides a link or directly attaches an APK file for the user to download and install.

Once a victim installs the fake app, attackers can intercept OTPs, monitor banking sessions, and remotely access the device to drain funds.

The fake apps are designed to look nearly identical to the legitimate YONO interface, which makes detection very difficult for the average user.

This technique, known as a fake banking app overlay attack, is a recognized and dangerous form of mobile malware delivery.

How SBI Customers Can Stay Protected

SBI has been clear and consistent in its guidance: the official YONO app should only ever be downloaded from the Google Play Store or Apple App Store.

Customers should never download any app through a link sent via SMS, email, or WhatsApp, regardless of how official the message appears.

The bank has urged users to delete and ignore any suspicious message immediately, avoid sharing Aadhaar details or OTPs through any unverified channel, and report any phishing attempt to the bank’s official email at [email protected].

Customers can also report financial cybercrime through the National Cyber Crime Reporting Portal at www.cybercrime.gov.in or by calling the national helpline at 1930.

SBI also reminded its customers that the bank will never ask for passwords, PINs, CVV numbers, or OTPs over a call, SMS, or any messaging platform.

Staying aware of these boundaries is one of the most effective ways to avoid falling for scams like this one.

Anyone who suspects their device may have been compromised should run a full antivirus scan and consider changing all account passwords immediately from a separate, trusted device.

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.