New Modus Operandi to Commit Fraud in Digital Payment Ecosystem – Through ‘AnyDesk’ Mobile App – Busting the myth & Stating the facts

Over the last couple of days, there is a strange RBI notification doing the rounds about how a mobile app called Anydesk is being used to steal your money through fraudulent transactions. And like a quickly-put-together notification without doing fact-checks properly, this is nothing but a security goof-up.

Can Anydesk be misused?
Yes, but so can a technology which we call as telecommunications, which allows us to make & receive calls through a phone. Does it mean that the phone-calling feature is a fraudulent app, too?

Someone who has ever had a fever should know that rising body temperature is a symptom & not an illness in itself. Similarly, Anydesk is just another remote-sharing app which dutifully asks for your permission before allowing anyone see your screen. So, why did Anydesk gets mentioned & not the hundred other apps available online. It is again a case of someone becoming a victim of it’s own success. Just because Anydesk is so simple, it is widely used & makes it a perfect tool to be abused. But then all the bad things can’t happen on its own. Clearly, it is the user who is also making things easy for fraudsters.

Let’s look at each of the points mentioned in the circular.

#RBI says…We say…
1.Fraudster would lure the victim to download an app called ‘AnyDesk’ from Playstore or Appstore. There are more apps similar to ‘AnyDesk’ that help provide remote access of device to other users.Don’t download anything from untrusted sources & unknown developers. Read the app details before any download & never download through email/SMS links. Always search an app from the store.
2.The app code (9 digit number) would be generated on victim’s device which the fraudster would ask the victim to share.Why give such important detail to an unknown person. Never share any number including OTP generated on apps.
3.Once fraudster inserts this app code (9 digit number) on his device, he would ask the victim to grant certain permissions.Would you give your car keys to random person on the street to drive. If yes, then grant access. Otherwise, NO.
4.Fraudster will gain access to victim’s device.Obviously, and even the world’s top security expert won’t be able to stop it.
5.The mobile app credential is vished from the customer and fraudster then carry out transactions through the mobile app already installed on customer’s device.Since you have given unfettered access to the phone, the fraudster can. do anything, including paying bills using your card.

I would say that Anydesk is still far better than many others on the shelf. So, it is better to stay vigilant at all times & not for any specific app. If these many warnings & alerts doesn’t stop a user from relinquishing access, nothing will. And it is unfair that Anydesk is singled out & mentioned negatively in this RBI advisory. Instead, there should far more awareness on cybersecurity than going witch-hunt on apps.