India’s Department of Telecommunications (DoT) has issued a major directive to app-based communication services. The order requires platforms to ensure they cannot function without an active SIM card linked to the user’s verified mobile number.
The mandate targets messaging apps like WhatsApp, Telegram, Snapchat, and Signal. These platforms, which use an Indian mobile number as a unique user identifier, must comply with the new regulations within 90 days.
The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024, aims to combat the misuse of phone numbers for phishing, scams, and cyber fraud. The DoT stated that SIM-binding directions are crucial. They help in closing a security gap exploited by bad actors for cross-border crime.
The department explained that accounts on instant messaging apps often remain active. This can occur even after the associated SIM card is deactivated, removed, or taken abroad. This loophole enables anonymous scams, remote “digital arrest” frauds, and government-impersonation calls using Indian numbers.
A significant problem involves long-lived web and desktop sessions. These allow fraudsters to control victim accounts from remote locations without access to the original device or SIM. This situation complicates tracing efforts.
📱 India now requires messaging apps like WhatsApp, Telegram, and Signal to stay linked to an active SIM card.
Web sessions will auto-logout every 6 hours.
Goal — stop “ghost sessions” used for scams and fraud.
🔗 Details ↓ https://t.co/ATJnCzu6OA
— The Hacker News (@TheHackersNews) December 2, 2025The newly issued directive contains two primary technical mandates for service providers. First, it requires app-based communication services to remain continuously linked to the device’s SIM card. This linkage makes it impossible to use the app without that SIM active.
Second, the directive mandates that the web service instance of a messaging platform must log out users periodically every six hours. Users would then need to re-link their device via a QR code to continue.
The government states that forcing periodic re-authentication reduces the potential for account takeover attacks, remote control misuse, and mule account operations. This repeated re-linking introduces friction. It requires threat actors to repeatedly prove they control the account.
The DoT emphasised that these restrictions ensure every active messaging account and its web sessions are tied to a Know Your Customer (KYC)-verified SIM. This linkage allows authorities to trace numbers used in phishing, investment scams, and other fraudulent schemes.
Notably, SIM-binding and automatic session logout rules already apply to banking and instant payment apps using India’s UPI system. The latest directions extend this established policy to cover major messaging platforms.
This development follows a recent DoT announcement about establishing a Mobile Number Validation (MNV) platform. This system aims to curb mule accounts and identity fraud stemming from unverified linkages of mobile numbers with digital services.
