Indian Police Bust Gang Abusing Google Firebase and Hostinger in $4.6 Million Sideloaded Android Malware Scam

MUMBAI, June 26, 2026

A Mumbai resident received what appeared to be a notice from Mahanagar Gas Limited, the city's piped-gas utility. To resolve the issue, the message said, the user needed to install a file: MGL GAS UNBLOCK FILE.apk. They did. Within a short window, ₹2,35,000 was gone from their bank account.

That complaint, registered as Crime No. 81/2026 at the Cyber Police Station, Western Region, Mumbai, would have looked from the outside like one more entry in India's relentless ledger of digital fraud. Instead, it became the thread that unravelled an entire criminal supply chain, and the resulting operation by the Mumbai Cyber Crime.

Mumbai police have arrested six men in connection with an interstate cybercrime gang that allegedly used fake Android apps, distributed via SMS phishing and installed through sideloading, to hack victims’ mobile phones and steal banking credentials in a fraud network spanning thousands of cases across India.

Firebase and Hostinger: the dark side of "backend-as-a-service"

The Mumbai recoveries name two pieces of mainstream technology that have become quiet enablers of mass fraud: Google's Firebase and the budget web host Hostinger. Investigators pulled roughly 1.24 crore (12.4 million) SMS records from Firebase and Hostinger servers tied to the operation.

Neither product is malicious. Firebase is a Google-owned development platform that gives app builders a ready-made backend, real-time databases, cloud messaging, storage, without having to provision their own servers. It is used by a vast number of legitimate developers precisely because it is fast, cheap, and frictionless. Hostinger is a low-cost hosting provider with a similarly broad and legitimate customer base.

That same frictionlessness is what makes them attractive to criminals. Security researchers have repeatedly found banking-malware campaigns using Firebase as command-and-control (C2) infrastructure: the compromised phone ships its stolen SMS data straight into a Firebase database that the attacker controls. In one widely reported case, researchers discovered hundreds of publicly accessible Firebase storage buckets holding gigabytes of stolen messages, card details, and government IDs, some left so poorly secured that they required no authentication at all to access.

Side Loading Feature in Android abused for installing malware

Once the APK was sideloaded onto Android devices, requiring users to manually enable “install from unknown sources” and bypass Google Play Protect, the malicious app allegedly compromised the device, intercepted and forwarded SMS messages containing OTPs and banking alerts, and exfiltrated sensitive data including bank account details, PINs, CVVs and UPI credentials to servers controlled by the gang. In one documented case, this led to an unauthorized transfer of 235,000 rupees from a victim’s account.

Investigators recovered 111 fake APK files designed to impersonate apps from various government departments and banks, along with information on 83 additional APK packages. Digital forensics also yielded WhatsApp and Telegram chat logs, evidence of Telegram bots used for coordination and the sale and circulation of fake APKs, server login credentials, URLs, and approximately 1.24 crore SMS records hosted on Google Firebase and Hostinger infrastructure.

Investigation was technically complex which involved complex code analysis skills, which was executed by the team.

A national footprint

When investigators cross-referenced the recovered data against complaints on the National Cybercrime Reporting Portal (NCRP), the true reach of the ring came into focus. The analysis linked the group, on a prima facie basis, to 3,206 complaints across India, with total fraud amounting to ₹43,25,77,497, over ₹43 crore. Of those complaints, 517 originated in Maharashtra, with 93 in Mumbai alone.

In other words, the ₹2.35 lakh theft that opened the case was a single grain in a much larger pile. Because the operation spanned multiple states, Mumbai Cyber Crime shared its findings with the relevant state police forces and with I4C(the Indian Cybercrime Coordination Centre) under Ministry of Home Affairs to enable arrests and coordinate the broader response, exactly the kind of cross-jurisdictional cooperation that mobile fraud, which respects no state lines, demands.

Arrests and recoveries

The six accused, arrested following raids and technical surveillance, are:

• Arif Astun Ansari, 28, from Bankikala, Post Parvatpur, Ahilyapur police station, Giridih district, Jharkhand
• Sheikh Belal Naushad, 28, from Mahjori, Post Mandro, Gandey police station, Giridih district, Jharkhand
• Mehboob Naushad Alam, 26, from Bankikala, Post Parvatpur, Ahilyapur police station, Giridih district, Jharkhand
• Sajid Mansur Ali, 21, from Kapasheda, South West Delhi
• Mohan Kushal Mahato, 23, from Karmatand, Post Charak, Maniyadih police station, Dhanbad district, Jharkhand
• Sunil Kumar Dashrath Soren, 25, from Karmatand, Post Charak, Maniyadih police station, Dhanbad district, Jharkhand

Police seized 11 mobile phones, one laptop and other electronic devices during the operation. The accused have been booked under relevant sections of the Bharatiya Nyaya Sanhita (BNS) and the Information Technology Act at the Cyber Police Station, West Zone, Mumbai.

Operation's team

• Shri Deven Bharti, Commissioner of Police, Brihan Mumbai
• Shri Anil Kumbhare, Joint Commissioner of Police (Crime)
• Shri Krishnakant Upadhyay, Additional Commissioner of Police (Crime)
• Shri Bajrang Bansode, Deputy Commissioner of Police
• Shri Irfan Shaikh, Assistant Commissioner of Police
• Senior PI Suvarna Shinde;
• Sr. PI Nitin Gachche;
• PSI Dhanvesh Patil (Cyber Commando);
• PSI Vijay Ghorpade;
• PI Deepak Tayde;
• PSI Rajesh Khushlani (Cyber Commando);
• PC Sachin Sawant;
• PC Prashant Bhuwad;
• PC Mahendra Tawde (Cyber Commando);
• Police Constables Vikas Dige, Sangram Jadhav, Suyesh Lokare, Amol Phaple, Mayur Ingle, Omkar Shinde, Anil Ware.

The fake gas-bill app drained one account. The investigation it triggered may yet protect millions.