Fake Government App Download Scams via SMS
How text messages impersonating government agencies trick citizens into installing malicious apps that steal credentials, banking details, and personal data.
Part of: Fake Government App Download Scams
Last reviewed: 8 June 2026
Text messages carrying links to download an 'official government app' exploit the public's growing familiarity with digital government services. As more tax filings, benefit applications, and identity verification processes move to official apps, a text message directing you to download one seems increasingly plausible — especially if the message references a genuine-sounding government program you may have heard of.
The malicious app, once installed, can harvest banking credentials stored on the device, capture one-time passwords for two-factor authentication, access contacts and messages, or provide remote access to the device. The harm extends well beyond one transaction.
SMS-delivered fake app scams are particularly dangerous because links in text messages do not show a full URL before clicking, and most people have less scrutiny for texts than for emails.
How this scam works on SMS
A text message arrives appearing to come from a tax authority, social services department, health agency, or immigration office. It states that the recipient must download an official app to access a benefit, complete a required update to their government account, or avoid a penalty. A shortened URL is provided.
The link leads to a page mimicking an official government web presence, prompting the download of an APK file (for Android) or directing iOS users to a third-party app store. The app may look and function like a real government app while silently harvesting stored credentials, SMS codes, and banking app data in the background.
In some versions the app displays a fake 'identity verification' form that collects a full set of personal and financial details before presenting a confirmation screen that reassures the user everything is in order.
Common red flags
- Text message asks you to download a government app via a link rather than directing you to the official app store listing
- Link leads to a third-party website rather than an official government domain
- The app is not available through the Apple App Store or Google Play Store
- Message references an urgent deadline or penalty to create pressure
- App requests permissions unrelated to its stated purpose, such as SMS access or contacts
- Sender number is a mobile number rather than a recognised government short code
How to protect yourself
- Only download government apps from the Apple App Store or Google Play Store, searching the app name directly
- Verify the app exists by visiting the government agency's official website and following their link to the app store
- Never install apps from links in text messages, even if the message appears official
- Review app permissions carefully before installation and reject requests for SMS or contacts access if unexplained
- If you installed a suspicious app, remove it immediately, run a security scan, and change banking passwords
How to report it
- Report the text message by forwarding it to 7726 (SPAM) in the US and UK
- Report to your national cybersecurity authority's phishing or smishing reporting service
- File a report with the FTC at reportfraud.ftc.gov or Action Fraud
- Report the malicious app to Google Play or Apple using their official reporting channels
Frequently asked questions
How do I find the real government app for a service?
Go to the official government agency website directly by typing its address, and look for their app store link on that page. Searching the app name in the official App Store or Play Store and checking the publisher name matches the government agency is another reliable approach.
My phone has been behaving strangely since I installed an app. What should I do?
Uninstall the app immediately, run a security scan with a reputable mobile security app, and change passwords for your banking, email, and any government portal accounts. Contact your bank to alert them to potential credential compromise.