#FactCheck - The video of Virat Kohli promoting online casino mobile app is a deep fake.
Executive Summary:
A viral clip where the Indian batsman Virat Kohli is shown endorsing an online casino and declaring a Rs 50,000 jackpot in three days as a guarantee has been proved a fake. In the clip that is accompanied by manipulated captions, Kohli is said to have admitted to being involved in the launch of an online casino during the interview with Graham Bensinger but this is not true. Nevertheless, an investigation showed that the original interview, which was published on YouTube in the last quarter of 2023 by Bensinger, did not have the mentioned words spoken by Kohli. Besides, another AI deepfake analysis tool called Deepware labelled the viral video as a deepfake.
Claims:
The viral video states that cricket star Virat Kohli gets involved in the promotion of an online casino and ensures that the users of the site can make a profit of Rs 50,000 within three days. Conversely, the CyberPeace Research Team has just revealed that the video is a deepfake and not the original and there is no credible evidence suggesting Kohli's participation in such endorsements. A lot of the users are sharing the videos with the wrong info title over different Social Media platforms.
Fact Check:
As soon as we were informed about the news, we made use of Keyword Search to see any news report that could be considered credible about Virat Kohli promoting any Casino app and we found nothing. Therefore, we also used Reverse Image Search for Virat Kohli wearing a Black T-shirt as seen in the video to find out more about the subject. We landed on a YouTube Video by Graham Bensinger, an American Journalist. The clip of the viral video was taken from this original video.
In this video, he discussed his childhood, his diet, his cricket training, his marriage, etc. but did not mention anything regarding a newly launched Casino app by the cricketer.
Through close scrutiny of the viral video we have noticed some inconsistencies in the lip-sync and voice. Subsequently, we executed Deepfake Detection in Deepware tool and identified it to be Deepfake Detected.
Finally, we affirm that the Viral Video Is Deepfakes Video and the statement made is False.
Conclusion:
The video has gone viral and claims that cricketer Virat Kohli is the one endorsing an online casino and assuring you that in three days time you will be a guaranteed winner of Rs 50,000. This is all a fake story. This incident demonstrates the necessity of checking facts and a source before believing any information, as well as remaining sceptical about deepfakes and AI (artificial intelligence), which is a new technology used nowadays for spreading misinformation.
Related Blogs
Executive Summary:
A viral video (archive link) claims General Upendra Dwivedi, Chief of Army Staff (COAS), admitted to losing six Air Force jets and 250 soldiers during clashes with Pakistan. Verification revealed the footage is from an IIT Madras speech, with no such statement made. AI detection confirmed parts of the audio were artificially generated.
Claim:
The claim in question is that General Upendra Dwivedi, Chief of Army Staff (COAS), admitted to losing six Indian Air Force jets and 250 soldiers during recent clashes with Pakistan.
Fact Check:
Upon conducting a reverse image search on key frames from the video, it was found that the original footage is from IIT Madras, where the Chief of Army Staff (COAS) was delivering a speech. The video is available on the official YouTube channel of ADGPI – Indian Army, published on 9 August 2025, with the description:
“Watch COAS address the faculty and students on ‘Operation Sindoor – A New Chapter in India’s Fight Against Terrorism,’ highlighting it as a calibrated, intelligence-led operation reflecting a doctrinal shift. On the occasion, he also focused on the major strides made in technology absorption and capability development by the Indian Army, while urging young minds to strive for excellence in their future endeavours.”
A review of the full speech revealed no reference to the destruction of six jets or the loss of 250 Army personnel. This indicates that the circulating claim is not supported by the original source and may contribute to the spread of misinformation.
Further using AI Detection tools like Hive Moderation we found that the voice is AI generated in between the lines.
Conclusion:
The claim is baseless. The video is a manipulated creation that combines genuine footage of General Dwivedi’s IIT Madras address with AI-generated audio to fabricate a false narrative. No credible source corroborates the alleged military losses.
- Claim: AI-Generated Audio Falsely Claims COAS Admitted to Loss of 6 Jets and 250 Soldiers
- Claimed On: Social Media
- Fact Check: False and Misleading
Introduction:
This report examines ongoing phishing scams targeting "State Bank of India (SBI)" customers, India's biggest public bank using fake SelfKYC APKs to trick people. The image plays a part in a phishing plan to get users to download bogus APK files by claiming they need to update or confirm their "Know Your Customer (KYC)" info.
Fake Claim:
A picture making the rounds on social media comes with an APK file. It shows a phishing message that says the user's SBI YONO account will stop working because of their "Old PAN card." It then tells the user to install the "WBI APK" APK (Android Application Package) to check documents and keep their account open. This message is fake and aims to get people to download a harmful app.
Key Characteristics of the Scam:
- The messages "URGENTLY REQUIRED" and "Your account will be blocked today" show how scammers try to scare people into acting fast without thinking.
- PAN Card Reference: Crooks often use PAN card verification and KYC updates as a trick because these are normal for Indian bank customers.
- Risky APK Downloads: The message pushes people to get APK files, which can be dangerous. APKs from places other than the Google Play Store often have harmful software.
- Copying the Brand: The message looks a lot like SBI's real words and logos to seem legit.
- Shady Source: You can't find the APK they mention on Google Play or SBI's website, which means you should ignore the app right away.
Modus Operandi:
- Delivery Mechanism: Typically, users of messaging services like "WhatsApp," "SMS," or "email" receive identical messages with an APK link, which is how the scam is distributed.
- APK Installation: The phony APK frequently asks for a lot of rights once it is installed, including access to "SMS," "contacts," "calls," and "banking apps."
- Data Theft: Once installed, the program may have the ability to steal card numbers, personal information, OTPs, and banking credentials.
- Remote Access: These APKs may occasionally allow cybercriminals to remotely take control of the victim's device in order to carry out fraudulent financial activities.
While the user installs the application on their device the following interface opens:
It asks the user to allow the following:
- SMS is used to send and receive info from the bank.
- User details such as Username, Password, Mobile Number, and Captcha.
Technical Findings of the Application:
Static Analysis:
- File Name: SBI SELF KYC_015850.apk
- Package Name: com.mark.dot.comsbione.krishn
- Scan Date: Sept. 25, 2024, 6:45 a.m.
- App Security Score: 52/100 (MEDIUM RISK)
- Grade: B
File Information:
- File Name: SBI SELF KYC_015850.apk
- Size: 2.88MB
- MD5: 55fdb5ff999656ddbfa0284d0707d9ef
- SHA1: 8821ee6475576beb86d271bc15882247f1e83630
- SHA256: 54bab6a7a0b111763c726e161aa8a6eb43d10b76bb1c19728ace50e5afa40448
App Information:
- App Name: SBl Bank
- Package Name:: com.mark.dot.comsbione.krishn
- Main Activity: com.mark.dot.comsbione.krishn.MainActivity
- Target SDK: 34
- Min SDK: 24
- Max SDK:
- Android Version Name:: 1.0
- Android Version Code:: 1
App Components:
- Activities: 8
- Services: 2
- Receivers: 2
- Providers: 1
- Exported Activities: 0
- Exported Services: 1
- Exported Receivers: 2
- Exported Providers:: 0
Certificate Information:
- Binary is signed
- v1 signature: False
- v2 signature: True
- v3 signature: False
- v4 signature: False
- X.509 Subject: CN=PANDEY, OU=PANDEY, O=PANDEY, L=NK, ST=NK, C=91
- Signature Algorithm: rsassa_pkcs1v15
- Valid From: 20240904 07:38:35+00:00
- Valid To: 20490829 07:38:35+00:00
- Issuer: CN=PANDEY, OU=PANDEY, O=PANDEY, L=NK, ST=NK, C=91
- Serial Number: 0x1
- Hash Algorithm: sha256
- md5: 4536ca31b69fb68a34c6440072fca8b5
- sha1: 6f8825341186f39cfb864ba0044c034efb7cb8f4
- sha256: 6bc865a3f1371978e512fa4545850826bc29fa1d79cdedf69723b1e44bf3e23f
- sha512:05254668e1c12a2455c3224ef49a585b599d00796fab91b6f94d0b85ab48ae4b14868dabf16aa609c3b6a4b7ac14c7c8f753111b4291c4f3efa49f4edf41123d
- PublicKey Algorithm: RSA
- Bit Size: 2048
- Fingerprint: a84f890d7dfbf1514fc69313bf99aa8a826bade3927236f447af63fbb18a8ea6
- Found 1 unique certificate
App Permission
1. Normal Permissions
- Access_network_state: Allows the App to View the Network Status of All Networks.
- Foreground_service: Enables Regular Apps to Use Foreground Services.
- Foreground_service_data_sync: Allows Data Synchronization With Foreground Services.
- Internet: Grants Full Internet Access.
2. Signature Permission:
- Broadcast_sms: Sends Sms Received Broadcasts. It Can Be Abused by Malicious Apps to Forge Incoming Sms Messages.
3. Dangerous Permissions:
- Read_phone_numbers: Grants Access to the Device’s Phone Number(S).
- Read_phone_state: Reads the Phone’s State and Identity, Including Phone Features and Data.
- Read_sms: Allows the App to Read Sms or Mms Messages Stored on the Device or Sim Card. Malicious Apps Could Use This to Read Confidential Messages.
- Receive_sms: Enables the App to Receive and Process Sms Messages. Malicious Apps Could Monitor or Delete Messages Without Showing Them to the User.
- Send_sms: Allows the App to Send Sms Messages. Malicious Apps Could Send Messages Without the User’s Confirmation, Potentially Leading to Financial Costs.
On further analysis on virustotal platform using md5 hash file, the following results were retrieved where there are 24 security vendors out of 68, marked this apk file as malicious and the graph represents the distribution of malicious file in the environment.
Key Takeaways:
- Normal Permissions: Generally Safe for Accessing Basic Functionalities (Network State, Internet).
- Signature Permissions: May Pose Risks When Misused, Especially Related to Sms Broadcasts.
- Dangerous Permissions: Provide Sensitive Data Access, Such as Phone Numbers and Device Identity, Which Can Be Exploited by Malicious Apps.
- The Dangerous Permissions Pose Risks Regarding the Reading, Receiving, and Sending of Sms, Which Can Lead to Privacy Breaches or Financial Consequences.
How to Identify the Scam:
- Official Statement: SBI never asks clients to download unauthorized APKs for upgrades related to KYC or other services. All formal correspondence takes place via the SBI YONO app, which may be found in reputable app shops.
- No Immediate Threats: Bank correspondence never employs menacing language or issues harsh deadlines, such as "your account will be blocked today."
- Email Domain and SMS Number: Verified email addresses or phone numbers are used for official SBI correspondence. Generic, unauthorized numbers or addresses are frequently used in scams.
- Links and APK Files: Steer clear of downloading APK files from unreliable sources at all times. For app downloads, visit the Apple App Store or Google Play Store instead.
CyberPeace Advisory:
- The Research team recommends that people should avoid opening such messages sent via social platforms. One must always think before clicking on such links, or downloading any attachments from unauthorised sources.
- Downloading any application from any third party sources instead of the official app store should be avoided. This will greatly reduce the risk of downloading a malicious app, as official app stores have strict guidelines for app developers and review each app before it gets published on the store.
- Even if you download the application from an authorised source, check the app's permissions before you install it. Some malicious apps may request access to sensitive information or resources on your device. If an app is asking for too many permissions, it's best to avoid it.
- Keep your device and the app-store app up to date. This will ensure that you have the latest security updates and bug fixes.
- Falling into such a trap could result in a complete compromise of the system, including access to sensitive information such as microphone recordings, camera footage, text messages, contacts, pictures, videos, and even banking applications and could lead users to financial loss.
- Do not share confidential details like credentials, banking information with such types of Phishing scams.
- Never share or forward fake messages containing links on any social platform without proper verification.
Conclusion:
Fake APK phishing scams target financial institutions more often. This report outlines safety steps for SBI customers and ways to spot and steer clear of these cons. Keep in mind that legitimate banks never ask you to get an APK from shady websites or threaten to close your account right away. To stay safe, use SBI's official YONO app on both systems and get apps from trusted places like Google Play or the Apple App Store. Check if the info is true before you do anything turn on 2FA for all your bank and money accounts, and tell SBI or your local cyber police about any scams you see.
Introduction:
A new Android malware called NGate is capable of stealing money from payment cards through relaying the data read by the Near Field Communication (“NFС”) chip to the attacker’s device. NFC is a device which allows devices such as smartphones to communicate over a short distance wirelessly. In particular, NGate allows forging the victims’ cards and, therefore, performing fraudulent purchases or withdrawing money from ATMs. .
About NGate Malware:
The whole purpose of NGate malware is to target victims’ payment cards by relaying the NFC data to the attacker’s device. The malware is designed to take advantage of phishing tactics and functionality of the NFC on android based devices.
Modus Operandi:
- Phishing Campaigns: The first step is spoofed emails or SMS used to lure the users into installing the Progressive Web Apps (“PWAs”) or the WebAPKs presented as genuine banking applications. These apps usually have a layout and logo that makes them look like an authentic app of a Targeted Bank which makes them believable.
- Installation of NGate: When the victim downloads the specific app, he or she is required to input personal details including account numbers and PIN numbers. Users are also advised to turn on or install NFC on their gadgets and place the payment cards to the back part of the phone to scan the cards.
- NFCGate Component: One of the main working features of the NGate is the NFCGate, an application created and designed by some students of Technical University of Darmstadt. This tool allows the malware to:
- Collect NFC traffic from payment cards in the vicinity.
- Transmit, or relay this data to the attacker’s device through a server.
- Repeat data that has been previously intercepted or otherwise copied.
It is important to note that some aspects of NFCGate mandate a rooted device; however, forwarding NFC traffic can occur with devices that are not rooted, and therefore can potentially ensnare more victims.
Technical Mechanism of Data Theft:
- Data Capture: The malware exploits the NFC communication feature on android devices and reads the information from the payment card, if the card is near the infected device. It is able to intercept and capture the sensive card details.
- Data Relay: The stolen information is transmitted through a server to the attacker’s device so that he/she is in a position to mimic the victim’s card.
- Unauthorized Transactions: Attackers get access to spend money on the merchants or withdraw money from the ATM that has NFC enabled. This capability marks a new level of Android malware in that the hackers are able to directly steal money without having to get hold of the card.
Social Engineering Tactics:
In most cases, attackers use social engineering techniques to obtain more information from the target before implementing the attack. In the second phase, attackers may pretend to be representatives of a bank that there is a problem with the account and offer to download a program called NGate, which in fact is a Trojan under the guise of an application for confirming the security of the account. This method makes it possible for the attackers to get ITPIN code from the sides of the victim, which enables them to withdraw money from the targeted person’s account without authorization.
Technical Analysis:
The analysis of malicious file hashes and phishing links are below:
Malicious File Hashes:
csob_smart_klic.apk:
- MD5: 7225ED2CBA9CB6C038D8
- Classification: Android/Spy.NGate.B
csob_smart_klic.apk:
- MD5: 66DE1E0A2E9A421DD16B
- Classification: Android/Spy.NGate.C
george_klic.apk:
- MD5: DA84BC78FF2117DDBFDC
- Classification: Android/Spy.NGate.C
george_klic-0304.apk:
- MD5: E7AE59CD44204461EDBD
- Classification: Android/Spy.NGate.C
rb_klic.apk:
- MD5: 103D78A180EB973B9FFC
- Classification: Android/Spy.NGate.A
rb_klic.apk:
- MD5: 11BE9715BE9B41B1C852
- Classification: Android/Spy.NGate.C.
Phishing URLs:
Phishing URL:
- https://client.nfcpay.workers[.]dev/?key=8e9a1c7b0d4e8f2c5d3f6b2
Additionally, several distinct phishing websites have been identified, including:
- rb.2f1c0b7d.tbc-app[.]life
- geo-4bfa49b2.tbc-app[.]life
- rb-62d3a.tbc-app[.]life
- csob-93ef49e7a.tbc-app[.]life
- george.tbc-app[.]life.
Analysis:
Broader Implications of NGate:
The ultramodern features of NGate mean that its manifestation is not limited to financial swindling. An attacker can also generate a copy of NFC access cards and get full access when hacking into restricted areas, for example, the corporate offices or restricted facility. Moreover, it is also safe to use the capacity to capture and analyze NFC traffic as threats to identity theft and other forms of cyber-criminality.
Precautionary measures to be taken:
To protect against NGate and similar threats, users should consider the following strategies:
- Disable NFC: As mentioned above, NFC should be not often used, it is safe to turn NFC on Android devices off. This perhaps can be done from the general control of the device in which the bursting modes are being set.
- Scrutinize App Permissions: Be careful concerning the permission that applies to the apps that are installed particularly the ones allowed to access the device. Hence, it is very important that applications should be downloaded only from genuine stores like Google Play Store only.
- Use Security Software: The malware threat can be prevented by installing relevant security applications that are available in the market.
- Stay Informed: As it has been highlighted, it is crucial for a person to know risks that are associated with the use of NFC while attempting to safeguard an individual’s identity.
Conclusion:
The presence of malware such as NGate is proof of the dynamism of threats in the context of mobile payments. Through the utilization of NFC function, NGate is a marked step up of Android malware implying that the attackers can directly manipulate the cash related data of the victims regardless of the physical aspect of the payment card. This underscores the need to be careful when downloading applications and to be keen on the permission one grants on the application. Turn NFC when not in use, use good security software and be aware of the latest scams are some of the measures that help to fight this high level of financial fraud. The attackers are now improving their methods. It is only right for the people and companies to take the right steps in avoiding the breach of privacy and identity theft.
Reference:
- https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/
- https://therecord.media/android-malware-atm-stealing-czech-banks
- https://www.darkreading.com/mobile-security/nfc-traffic-stealer-targets-android-users-and-their-banking-info
- https://cybersecuritynews.com/new-ngate-android-malware/
