Centre Orders Removal Of Chinese Apps Used To Hack E-Rickshaws In Delhi

Centre Orders Removal Of Chinese Apps Used To Hack E-Rickshaws In Delhi

The Centre has ordered the removal of BAT-BMS, Lossigy and Epoch Li-ion apps from Google Play Store and Apple App Store after reports that they were misused to remotely disable moving e-rickshaws in Delhi. Officials said the apps were originally designed for lithium-ion battery monitoring but were exploited for malicious control.

Tasneem KanchwalaUpdated: Friday, July 03, 2026, 02:09 PM IST
Centre Orders Removal Of Chinese Apps Used To Hack E-Rickshaws In Delhi

he Centre has ordered the removal of two mobile applications, BAT-BMS, Lossigy, and Epoch Li-ion, from the Google Play Store and the Apple App Store. The move comes after reports surfaced of the apps being misused to remotely disable moving e-rickshaws in Delhi. These applications are battery management tools that connect to lithium-ion batteries via Bluetooth. They were originally built to help monitor battery parameters such as voltage, temperature, and charge cycles.

S Krishnan, Secretary, Ministry of Electronics and Information Technology, confirmed the action while speaking to reporters on the sidelines of the CII Cybersecurity Summit. "There are a couple of apps which came up to our notice yesterday and both of them have been taken down from the app stores," Krishnan said.

When asked how the government plans to stop such apps given that they are being accessed from a particular country, Krishnan pointed to the responsibility of app store platforms. "That is the point, that this is due care that the app stores have to exercise, and we will take it up to the app stores to see that possibly damaging apps do not occur," he said.

How the e-rickshaw prank works

The trend involves opening the mobile app, connecting to the nearest e-rickshaw battery over Bluetooth, and switching off the discharge function. A single tap is enough to power down the vehicle. The driver is left stranded and confused in the middle of the road, and the e-rickshaw can only be restarted once someone switches the battery back on through the same application.

Many low-cost e-rickshaw batteries in India lack password protection or authentication, which makes this misuse possible. Anyone within Bluetooth range, roughly 10 to 15 metres, can connect to an unsecured battery management system without the owner's knowledge and disable the vehicle. Officials have noted that this vulnerability does not affect all e-rickshaws, since some run on older lead-acid batteries with no Bluetooth capability, while certain lithium battery packs use proprietary systems that block third-party apps entirely.

Drivers left stranded and had financial losses

For e-rickshaw drivers, many of whom rent their vehicles daily, the so-called prank translates into real financial loss. A viral video on social media showed a driver struggling after his e-rickshaw was disabled mid route. Social media influencer Amaan Siddiqui described the incident to the news agency ANI after he intervened to help.

"I saw a man tying up his rickshaw to another in order to move it," Siddiqui said. "I suspected this app to be behind it. I brought my vehicle behind it and tried connecting my app to the rickshaw. Once it connected, I asked him to stop and told him that his rickshaw would now restart."

According to Siddiqui, the driver had lost between Rs. 400 and Rs. 500 for the day. "He broke down and told me that he had lost an entire day of earning. He had taken the rickshaw on rent. His rickshaw had been at the same spot for an entire day," Siddiqui said.

Drivers who lack smartphones or the technical know-how to operate such apps are particularly vulnerable, and some have reportedly paid strangers or mechanics to get their vehicles working again, unaware that the vehicle was never actually faulty.

What the Delhi government said

A senior Delhi government official said the underlying issue lies in the design of these battery management apps. The apps are meant to help monitor real time parameters such as voltage, temperature, and current, but their control functions can be misused when the connected battery systems lack basic security.

"There is no password or authentication. As a result, cutting the power output and bringing the vehicle to a sudden halt becomes easy," the official said.

MeitY secretary on VPN misuse

Krishnan was also asked about the broader issue of VPN misuse during the same interaction. He acknowledged that the government's approach to the problem is still evolving. "We have to see, the process has just begun," he said, describing it as a techno legal aspect that cannot be solved through regulation alone. "We have to look at both a technology solution in addition to just a legal solution," he added.

Krishnan pointed out that a legal framework already exists on paper, since certain guidelines currently require VPN providers to register. However, he flagged a gap in compliance. "There is a requirement even under certain guidelines currently for VPNs to register. What happens is many of them choose not to register. They offer it from elsewhere, and it is offered at the software level," he said. Because of this, Krishnan noted that the ministry has to look beyond legal mandates and work towards technology based solutions to address the issue.

What happens next

With the two apps now removed from both major app stores, the Centre's immediate focus appears to be on preventing further misuse through official distribution channels. Krishnan's comments suggest MeitY intends to engage directly with app store operators like Google and Apple to strengthen screening processes and stop similarly exploitable apps from being listed in the first place.

On the VPN front, his remarks indicate that the ministry is weighing technical interventions alongside existing registration requirements, since offshore VPN providers offering services without registering in India have proven difficult to rein in through legal mandates alone. Whether the government will also examine mandatory security standards, such as compulsory password protection for Bluetooth-enabled battery systems sold in the country, remains to be seen.