Deepfake videos of Virat Kohli and others are being used to promote fraudulent gaming app: CloudSEK

A widespread deepfake video scam is using famous Indian personalities, including Virat Kohli, Mukesh Ambani, Anant Ambani and Neeraj Chopra, as well as international personalities to promote fraudulent mobile gaming applications, according to cybersecurity firm CloudSEK.

CloudSEK's investigation found that deepfake videos featured well-known celebrities and high-profile individuals using a mobile gaming application called ” Aviator.

Scammers are using these videos to trick people into downloading the dubious app and have also created a fake Play Store to give the impression of being real. The research team identified a number of fraudulent campaigns targeting users in India, Pakistan, Nigeria and Saudi Arabia, among others.

International icons such as Christiano Ronaldo, James Donaldson (Mr. Beast), Deadpool aka Ryan Reynolds and the Pakistani actress Hania Aamir also promote the app.

One of the videos shows Mr. Beast in a fictional promotion for the African market and explains how users can make money there Aviator Play by investing small amounts, such as 1,000 Kenyan shillings, and earn returns based on a multiplier. According to CloudSEK, Virat Kohli has been one of the most frequently targeted by similar deepfakes in South Asia.

The videos often begin with doctored footage of news anchors including Shweta Singh (Aaj Tak), Arnab Goswami (Republic TV) and Sudhir Chaudhary. These fake shows claim that the mobile application has helped people from all walks of life to earn money easily.

The use of news channels such as Aaj Tak, Republic TV, Zee News and ARY News increases the credibility of the scam and encourages unsuspecting viewers to download the fraudulent app.

The scam initially targeted the EU population in early September 2024 and has now spread to India and various other regions, including Nigeria, Pakistan, Bangladesh, Saudi Arabia and Southeast Asia.

One of the fraudulent tactics is using phishing links on the Google Play Store. Users are tricked into thinking they are downloading the app from a legitimate platform, while the links actually redirect them to fraudulent phishing sites.

Phishing domains like Avatarsky[.]Firstly, they are used to impersonate Google Play Store while installing proxy apps like Proxy_chrome on victims' devices. These malicious apps appear to be legitimate and display real-time statistics such as “Over 2,500 players playing” with multiple payment options including UPI and cryptocurrency, luring unsuspecting users into the scam.

CloudSEK research has found that over 1,000 phishing domains are created every day, predominantly using the top-level domain (TLD) .top. The scammers also offer various fraudulent payment methods, including bank transfers to accounts at CSB Bank and City Union Bank, as well as cryptocurrency transactions in Bitcoin, Monero, Tron, Ethereum, and BNB.