How to spot a fake bank app before you install it

Representative image

Fake banking apps are now a regular part of most phishing scams. They are designed to look like your bank’s real app, copy its logo and colour scheme, and then quietly steal passwords, OTPs and account numbers. You may see them in search results, on shady app stores, inside scam SMS links or even in social media ads. The safest approach is to pause before you tap “Install” and run a few quick checks.

The most reliable signal is the publisher name on the Play Store or App Store. Genuine banking apps are published in the bank’s own name, such as “HDFC Bank Ltd”, “State Bank of India” or “ICICI Bank Ltd”. Fake apps often tweak this slightly: missing “Ltd”, adding an extra word like “pro”, or using vague names such as “Secure Mobile Banking” or “Online Bank Services”. Never go only by the icon or app name; scroll down and read the exact publisher line before you trust it.

Real bank apps tend to have been around for years, so their numbers reflect that history: millions of downloads and a long trail of reviews across several versions. A suspicious app might have a few hundred or a few thousand downloads, with reviews that look copied, generic or written in poor English. If you see many short, similar five-star reviews posted within a narrow time window, treat it as a warning sign that the app may be fake or low-trust.

Your bank will not ask you to install its app from a forwarded link on SMS, WhatsApp, Telegram or email, and it will not send APK files to install directly. The official app will always be listed on the Google Play Store or Apple App Store if it is meant for regular customers. Any message that says “download this special version”, “faster app” or “blocked on Play Store, use this link instead” should be considered unsafe and ignored.

A quick look at requested permissions can also tell you a lot. A legitimate banking app usually asks for only what it needs: SMS for OTP auto-read, camera for KYC, maybe location for branch or ATM finder. Malicious apps often demand far more: full access to contacts, call logs, screen recording, notification reading or the ability to draw over other apps. If the list feels excessive or unrelated to basic banking, do not proceed with the installation.

Uninstall it straight away, run a security scan on your phone, change your internet banking and UPI passwords or PINs, and call your bank to review recent transactions and block access if needed.

Yes, occasionally. Most are removed once reported, but some slip through for a while. That is why checking the publisher name, download history and reviews is still essential even on official stores.

It can catch some threats, but it is not a substitute for basic caution. Verifying the app source, publisher, permissions and avoiding random links will usually give you far better protection than relying only on security software.