New Delhi, March 11 Online fraudsters are using new technology that bypasses the security features of UPI apps to carry out financial transactions, cyber intelligence firm CloudSEK claimed in a report.
According to the report, the firm has identified at least 20 active groups on messaging platform Telegram, each with over 100 members, where a toolkit called "Digital Lutera" is being discussed, distributed, and operationalized.
"This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable. If left unaddressed, this could lead to large-scale account takeovers across the digital payments ecosystem," said Shobhit Mishra, a Threat Researcher at CloudSEK.
CloudSEK claims to have analyzed one such group alone, which indicates that transactions worth Rs 25-30 lakh were processed over just two days, highlighting how quickly the fraud model is scaling and the number of victims' connections.
The UPI custodian, National Payments Corporation of India (NPCI), said that the digital payment system has robust checks in place to handle "such risks."
"NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure," an NPCI statement said.
NPCI said that it continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users.
SIM-binding has been treated as a proof that a bank account is securely tied to a specific device. UPI apps process transactions after verifying the SIM of the phone number with which the account associated with it is installed in the mobile phone.
CloudSEK said that the attack typically begins when a user unknowingly installs a malicious APK disguised as something routine, such as a traffic fine notice or a wedding invitation. Once installed, the malware gains access to the victim's phone's SMS permissions.
Once the Digital Lutera toolkit is installed, attackers use a specialized Android framework tool on their own device to manipulate system-level identity and SMS functions. The attacker is then able to intercept registration messages intended for the banks and OTPs are silently forwarded to Telegram channels controlled by the attackers.
"Fake "sent" SMS entries are inserted into the phone's message records to make everything appear legitimate. The result is disturbing: a victim's UPI account can be registered and controlled on a completely different device — even though the actual SIM card never leaves the victim's phone," the report said.
The cyber intelligence firm said that after manipulating the Android device, it makes the UPI app believe that messages for verification have genuinely emanated from the smartphone. CloudSEK said that it has informed relevant regulators and financial institutions to help them prepare and take proactive mitigation measures as part of responsible disclosure.