India’s Ministry of Electronics and Information Technology on Friday pulled the BAT-BMS app and two similar apps from the Google Play Store and Apple’s App Store after videos showed pranksters using the app to remotely disable e-rickshaws on Indian roads. The app was designed as a Bluetooth tool for monitoring lithium battery health. Its misuse has put the government and the EV supply chain on notice that years of cost-conscious battery design left a clear path to vehicle-level abuse.
The trigger was a string of viral videos that surfaced earlier this week. A clip showed a prankster walking up to a parked e-rickshaw, pairing with its battery over Bluetooth, and cutting off the discharge function with a tap on their phone, leaving the driver stranded in traffic. India’s IT ministry began probing within days, and Union IT Minister Ashwini Vaishnaw received a formal letter from BJP youth wing national secretary Tajinder Bagga calling for an immediate ban on the BAT-BMS app as “being misused to remotely disable e-rickshaws and electric vehicles via Bluetooth.”
How the Trick Works Without Internet or Malware
BAT-BMS was built by Shenzhen Grenergy Technology as a Battery Management System monitoring tool. The app reads live data from Bluetooth-enabled lithium packs: charge level, voltage, current draw, temperature, cycle life, and cell health. Most users are e-rickshaw owners checking whether their pack is fit for the next fare.
The same Bluetooth link that lets an owner read battery data can be used to control charging and discharging functions on compatible packs. The trouble is that some e-rickshaws in India run on Chinese-sourced BMS units shipped with little or no password protection. If the owner never set a PIN, or did not know one was available, anyone standing within Bluetooth range, usually roughly 10 to 15 metres, can pair, send a discharge-off command, and stall the vehicle mid-road. the MeitY removal of three Bluetooth battery apps is the next move in that slow build.
The Shenzhen Grenergy app does not need to bypass a lock because the lock was never set in the first place, and the owner was often never told one was available. The same Chinese-source BMS design powers a range of Indian three-wheelers and a smaller fleet of two-wheelers and commercial EVs. Several of those vehicles have no reason to run BAT-BMS, and several do.
To perform this operation you do not need to perform any type of hacking, there is no requirement for malware. And you do not require access to the internet.
Mandar Patil, executive vice president at cybersecurity firm Cyble, gave that read of the threat to India Today Tech.
Three Years in Jail, Rs 5 Lakh Fine: The Legal Reckoning
India’s cyberlaw community has moved quickly to flatten the idea that what the videos show is harmless fun. Pavan Duggal, chairman of the International Commission on Cyber Security Law, told ANI that pairing with an e-rickshaw’s BMS without the owner’s consent is a dishonest entry into a computer system. That act, in his reading, falls under section 66 read with section 43 of the Information Technology Act 2000, the same statute that has been used against unauthorised access offences in India for over two decades.
I am very clear this is not a game, this is an offense under section 66 read with section 43 of the Information Technology Act 2000 because this is an activity that’s done dishonestly or fraudulently where people enter into the computer system of its e-rickshaw without the consent or the knowledge of the owner.
Duggal laid out the punishment on paper in a single line: three years of imprisonment and a fine of Rs 5 lakh. A stalled e-rickshaw on a busy road puts its passengers, the surrounding traffic, and the driver at risk. India’s IT ministry has also been tightening its grip on consumer-app fraud this week, in a parallel case it ordered Meta to pause WhatsApp usernames pending fraud safeguards.
Why So Many Indian Vehicles Are in the Crossfire
The body count is shaped by how Indian streets are actually built. Low-cost Chinese-sourced lithium battery packs with cheap BMS units power a large slice of the country’s e-rickshaw fleet. Many of those owners never reset factory-default Bluetooth credentials, and many were never told a credential existed. The result is a captive installed base of unsecured batteries that any passerby with the right app can switch off.
Not every Indian e-rickshaw is exposed. A sizeable number still run on traditional lead-acid batteries with no Bluetooth stack at all, and several manufacturers ship proprietary BMS units that only respond to their own dedicated apps. Universal tools like BAT-BMS or Epoch Li-ion cannot dial into them. But the segment that does carry Bluetooth management has been growing fast as fleets electrify and lithium prices slide, and the cheap end of that market is precisely where the prank hit.
Anirban Mukherji, founder and CEO of cybersecurity firm miniOrange, gave India Today Tech a four-step playbook for drivers worried about the trend. His list covers basic Bluetooth hygiene.
Mukherji’s four checks read this way:
- Keep Bluetooth disabled when not required
- Use only authorised service applications
- Install firmware updates provided by the manufacturer
- Report any unusual vehicle behaviour immediately
What Changes Now for Buyers, Drivers and Battery Makers
The bigger concern is that Indian two-wheelers, four-wheelers, and commercial EVs all carry wireless controls in some form. Cybersecurity firm Cyble’s executive vice president Mandar Patil told India Today Tech that the BAT-BMS episode is a wake-up call for every vehicle category whose maker has shipped firmware without an authentication layer. “If electric vehicle manufacturers do not begin to take a more secure design approach we will continue to see these types of attacks evolve as attacker capability continues to increase,” Patil said. He pointed to where the trajectory could land: India’s “e-highways may become a target for hijackers,” he added.
Bharat Krishna Rao, co-founder and CEO of EV startup Emobi, picked up the same thread and stretched it across the software-driven fleet. “As EVs become increasingly software-driven, similar vulnerabilities can emerge across two-wheelers, passenger vehicles, and commercial fleets whenever Bluetooth, telematics, or remote battery controls are involved,” Rao told India Today Tech. Authorities, he said, should ask for transparent disclosures, mandatory cybersecurity testing, secure defaults, and clear grievance mechanisms before the next viral video lands.
The mobile-app side is already moving. India’s Ministry of Electronics and Information Technology has removed BAT-BMS, Epoch Li-ion and Lossigy from both the Google Play Store and Apple’s App Store and is probing each app for the underlying battery-management vulnerabilities that allowed the access in the first place. MeitY has signalled it will block any other app misused in the same way. Manufacturers will almost certainly be pushed toward encrypted pairing, mandatory PINs and signed firmware.
The cost of those fixes lands on e-rickshaw owners in the form of slightly pricier batteries and a few extra taps on a screen before each ride. For app developers, the audit and code-signing requirements add a layer of compliance that the cheap end of the market has so far avoided. MeitY has signalled no end date for the broader sweep.
Frequently Asked Questions
What is the BAT-BMS app?
BAT-BMS is a Battery Management System monitoring app developed by Chinese firm Shenzhen Grenergy Technology. It connects to Bluetooth-enabled lithium battery packs to show charge level, voltage, current draw, temperature, cycle life and cell health. Compatible BMS units also let the app switch charging and discharging on and off, a feature intended for genuine owners but reused by pranksters in the recent viral videos.
Why did India pull the BAT-BMS app from app stores?
India’s Ministry of Electronics and Information Technology removed BAT-BMS, Epoch Li-ion and Lossigy from the Google Play Store and Apple’s App Store on July 3, 2026, after viral videos showed the apps being used to remotely stop e-rickshaws on Indian roads. The ministry has framed the move as part of a wider sweep against any Bluetooth battery-management tool whose default settings leave vehicles open to unauthorised control.
Can the Bluetooth trick behind the BAT-BMS prank work on other EVs?
Mandar Patil of Cyble and Bharat Krishna Rao of Emobi both told India Today Tech the same thing: as EVs grow more software-driven, similar vulnerabilities can spread across two-wheelers, passenger vehicles and commercial fleets whenever Bluetooth, telematics or remote battery controls are involved. Vehicles running traditional lead-acid batteries without a Bluetooth stack are unaffected, and any EV whose manufacturer uses a proprietary BMS app is also out of reach of BAT-BMS.
How can e-rickshaw owners protect their vehicles from being disabled?
The four-step miniOrange check is the practical starting point: keep Bluetooth disabled when not required, use only authorised service applications, install firmware updates as they ship, and report any unusual behaviour to a service centre immediately. The underlying fix will land at the manufacturer side, with MeitY signalling that encrypted pairing, mandatory PINs and signed firmware are all on the table.





