Fake Revolut App Downloads Stealing Banking Credentials
Fraudulent apps mimicking Revolut's design and branding appear in unofficial app stores, phishing sites, and search-engine ads. Once installed, they capture login credentials, harvest two-factor codes, and can access the device's SMS messages.
Part of: Fake App Downloads
Last reviewed: 8 June 2026
Revolut is a digital banking app that many users rely on exclusively for daily spending, currency exchange, and savings. Because access to a Revolut account is entirely through the app, criminals have created near-identical counterfeit versions designed to harvest credentials the moment a user logs in.
Fake Revolut apps are distributed through phishing sites disguised as the official Revolut download page, third-party APK repositories, and occasionally through malicious search-engine advertisements that rank above the legitimate app-store listing. They may also arrive via SMS messages claiming your Revolut app needs a security update — with a link to download the 'latest version.'
Once installed, the fake app may present a convincing login interface. As soon as credentials are entered, they are transmitted to the attacker. Some variants also implement a fake OTP screen to capture the victim's two-factor code in real time, allowing the attacker to authenticate immediately on the real Revolut platform.
How this scam works on the Revolut brand
The real Revolut app is available only through the Apple App Store and Google Play Store, published by Revolut Ltd. Revolut will never SMS or email you a direct APK download link or ask you to install from a third-party source.
A common attack chain begins with a spoofed SMS reading that your account has been flagged for suspicious activity and directing you to install an updated security app from a provided link. The link downloads an APK. After installation, the fake app opens a perfect replica of the real Revolut login screen. Entering your phone number and password sends those details to a fraudster-controlled server. The attacker then initiates a login on the real app, and when Revolut sends an SMS OTP, the fake app intercepts it — some malicious apps request SMS-read permission for exactly this purpose.
Other routes include fake Revolut customer-service websites that appear in paid search ads, which instruct visitors to download a 'support tool' or 'secure version' of the app to fix a claimed account problem.
Common red flags
- You received a link to download Revolut via SMS, email, or a pop-up — the real app is only on official app stores
- The installer is an APK file (Android) rather than an app-store download
- The app requests SMS-read or notification-access permissions beyond what a banking app needs
- The app logo or splash screen looks slightly different from the official version
- A 'support agent' directed you to a specific download link rather than to the app store
- The URL of a supposed Revolut download page is not revolut.com
How to protect yourself
- Download Revolut only from the official Apple App Store or Google Play Store — verify the publisher is 'Revolut Ltd'
- Never install APK files from links sent via SMS or email, even if they claim to be from Revolut
- Check app permissions after installation — a legitimate banking app should not need to read your SMS inbox
- Enable biometric authentication in the real Revolut app to add an additional layer beyond passwords
- If you see a search-engine ad for Revolut, navigate to revolut.com directly rather than clicking the ad
- Turn on Revolut login notifications so every sign-in triggers an alert to your registered email
How to report it
- Report the fake app or APK link to Revolut's security team at [email protected]
- Submit the malicious URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Report the app to the respective app store using the 'Flag as inappropriate' option
- File a report with Action Fraud at actionfraud.police.uk (UK) or IC3.gov (US)
- If credentials were captured, contact Revolut in-app support immediately to freeze the account
Frequently asked questions
How can I verify I have the real Revolut app?
Open your phone's App Store or Google Play, search for 'Revolut,' and confirm the publisher is 'Revolut Ltd.' Check that the app has a very large number of reviews and installs consistent with a major banking app. If in doubt, delete and reinstall from the official store.
Can a fake app intercept my two-factor SMS codes?
Yes. Some malicious apps request SMS-read permission and can forward OTP codes to attackers in real time. This is why SMS 2FA is weaker than an authenticator app for high-value accounts.
Is sideloading apps on Android inherently risky?
Sideloading — installing APKs from outside the Play Store — bypasses Google's app-safety scanning. While not all sideloaded apps are malicious, any app from an unverified source is a significant risk, especially for banking software.