As Indians ring in the New Year, cybercriminals are capitalising on the festive spirit to launch fresh scams targeting smartphone users.
Authorities have flagged a new fraud that lures people with the promise of creating personalised New Year greeting cards but instead delivers a dangerous malware-laden file that can compromise devices, drain bank accounts and invade personal privacy.
An advisory issued by the Hyderabad Cyber Crimes Unit warns that fake links related to the scam are being widely circulated through WhatsApp, SMS and social media platforms, posing a significant risk as online activity spikes during year-end celebrations.
⚠️ Scam Alert! Messages offering a “personalized” New Year card via links or .apk files can install malware. Don’t click, don’t download—report & block immediately. Stay alert this festive season! 🎁📱 #CyberSecurity #WhatsAppScam #1930 #cybercrimespshyderabad #onlinesafety… pic.twitter.com/Gc1jKjaPsF
— Cyber Crimes Unit Hyderabad (@CyberCrimeshyd) December 31, 2025
How the New Year Greeting Scam Works
According to cybercrime officials, the scam is designed to appear harmless and festive. Users receive a message—often from an unknown number or even a familiar contact—inviting them to click a link to generate a customised New Year greeting card using their name or photos.
Clicking the link redirects users to a webpage that prompts them to download an APK file, often carrying festive names like Happy New Year.apk. While it may look legitimate, installing this file can inject malware into the phone. Once installed, the malicious app can grant attackers access to sensitive data stored on the device, transforming a simple greeting into a serious financial and privacy threat.
The Hyderabad Cyber Crimes Unit has cautioned that such malware can be used to steal personal and banking information, monitor user activity, install additional malicious software and, in some cases, allow cybercriminals remote control over the device.
How to Stay Safe
To reduce the risk of falling victim to the scam, users are advised to follow basic cyber safety practices:
- Avoid clicking on links received from unknown or unverified sources
- Never download APK files sent via messages or social media
- Install apps only from official platforms such as the Google Play Store
- Be cautious about granting apps access to personal data
Anyone who suspects they have encountered or fallen victim to the scam should immediately contact the national cybercrime helpline at 1930 or file a complaint on cybercrime.gov.in. Officials say prompt reporting can help limit financial losses and support investigations.
WhatsApp ‘GhostPairing’ Threat Adds to Concerns
The New Year scam comes amid warnings about another emerging cyber threat known as GhostPairing. Security researchers say this attack can allow hackers to quietly take over WhatsApp accounts without stealing passwords or performing SIM-swaps.
The technique allegedly exploits WhatsApp’s device-linking feature. Victims receive a message containing a link—often disguised as a Facebook photo—that leads to a fake login page. After entering their phone number, users are shown a numeric code and instructed to enter it into WhatsApp. Instead of securing their account, this action links the attacker’s browser as a trusted device, giving them access to chats and account activity.
Cyber experts are urging users to remain vigilant, especially during festive periods, as attackers increasingly rely on social engineering tactics that exploit curiosity, urgency and celebration-driven distractions.
