A sophisticated WhatsApp scam using malware-laced images has drained bank accounts across India, with recent cases reported in Jabalpur (₹2 lakh), Maharashtra (₹2.01 lakh), and other states. Cybercriminals employ steganography to embed malware in seemingly harmless photos, bypassing OTPs to access banking credentials and UPI details.

The Department of Telecom and Greater Chennai Police have issued urgent advisories, urging users to disable auto-downloads and enable two-step verification. The scam’s stealthy design and rapid execution leave victims with little recourse, highlighting the urgent need for public awareness and institutional accountability.

Steganography-Driven Scam: How Hackers Hijack Devices

The scam begins with attackers sending WhatsApp images containing malware hidden via Least Significant Bit (LSB) steganography, a technique that embeds malicious code within ordinary media files.

Victims, such as a Jabalpur resident who lost ₹2 lakh, often receive these images from unknown numbers, accompanied by urgent calls pressuring them to “identify someone.”

Once downloaded, the malware grants hackers remote access to the device, enabling them to bypass OTPs, extract UPI PINs, and initiate unauthorised transactions. Unlike traditional phishing links, this method requires no interaction beyond downloading the image, making it exceptionally deceptive.

Recent reports indicate scammers also use AI-generated voice clones to impersonate relatives, adding another layer of manipulation.

Authorities Respond with Advisories Amid Rising Cases

The Department of Telecom has flagged this as a significant shift in cybercrime tactics, moving from OTP theft and fake-link scams to steganography-based attacks. In Chennai, police reported a 30% spike in WhatsApp account hijackings linked to similar OTP scams, prompting advisories to enable two-step verification and silence unknown callers.

Cybersecurity experts, including researchers at Quick Heal, warn that the malware evades detection by most antivirus tools and even AI-powered security systems. They recommend updating device software, restricting WhatsApp group invites, and avoiding media downloads from untrusted contacts.

Despite these measures, the lack of OTP prompts during breaches complicates detection, leaving users reliant on vigilance.

Rising Cases and Expert-Backed Advisories

The Department of Telecom has flagged this as a shift from OTP/fake-link scams to steganography-based attacks. Cyber expert Tushar Sharma warns that scammers exploit hidden layers in images to silently install malware, which steals data without triggering alerts. Key expert recommendations include:

• Disable auto-downloads for media files on WhatsApp.
• Update device software regularly to patch security gaps.
• Enable two-step verification on WhatsApp and banking apps.
• Avoid sharing OTPs or personal details, even with known contacts.
• Use behavioural analytics-based antivirus tools to detect anomalies.

The Logical Indian’s Perspective

At The Logical Indian, we believe combating such scams requires a dual focus: institutional transparency and community-driven education. While advisories are a step forward, authorities must prioritise faster scam resolution and publicise case outcomes to build trust.

For users, proactive measures-like disabling auto-downloads, scrutinising unexpected media, and reporting suspicious activity-are non-negotiable. Equally vital is fostering empathy towards victims, who often face social stigma alongside financial loss. As technology evolves, so must our collective responsibility to safeguard one another.