New Delhi, March 11
Cyber intelligence firm CloudSEK has claimed that online fraudsters are using new technology that bypasses security features of Unified Payments Interface (UPI) apps to carry out financial transactions.
In a report, the firm said it has identified at least 20 active groups on messaging platform Telegram, each with more than 100 members, where a toolkit named “Digital Lutera” is being discussed, distributed and operationalised.
“This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable,” CloudSEK threat researcher Shobhit Mishra said.
“If left unaddressed, this could industrialise account takeovers at scale across the digital payments ecosystem,” he added.
According to CloudSEK, analysis of one such group indicated that transactions worth Rs 25–30 lakh were processed in just two days, highlighting the rapid scale at which the fraud model is expanding.
An email query sent to the National Payments Corporation of India (NPCI) regarding the report remained unanswered.
SIM-binding is considered proof that a bank account is securely tied to a specific device. UPI apps process transactions after verifying the SIM of the phone number linked to the account installed on the mobile device.
CloudSEK said the attack typically begins when a user unknowingly installs a malicious APK disguised as routine communication, such as a traffic fine notice or a wedding invitation. Once installed, the malware gains access to the phone’s SMS permissions.
After the “Digital Lutera” toolkit is installed, attackers use a specialised Android framework tool on their own device to manipulate system-level identity and SMS functions. Registration messages meant for banks and OTPs are then intercepted and silently forwarded to Telegram channels controlled by the attackers.
“Fake ‘sent’ SMS entries are inserted into the phone’s message records to make everything appear legitimate. As a result, a victim’s UPI account can be registered and controlled on a completely different device, even though the actual SIM card never leaves the victim’s phone,” the report said.
The firm added that after manipulating the Android device, the UPI app is made to believe that verification messages have genuinely originated from the smartphone.
CloudSEK said it has informed relevant regulators and financial institutions to help them prepare and take proactive mitigation measures as part of responsible disclosure.
PTI
