Security
Cybersecurity firm CloudSEK has uncovered a new fraud toolkit dubbed “Digital Lutera” that enables attackers to bypass security protections in India’s Unified Payments Interface (UPI), raising concerns about the evolving threat landscape around digital payments.
According to CloudSEK researchers, the toolkit is being distributed through underground Telegram channels where cybercriminals share tools and coordinate fraudulent activity. The firm said it identified at least 20 Telegram groups with more than 100 members each discussing and deploying the toolkit.
In one group alone, investigators observed transactions worth ₹25–30 lakh carried out within just two days, suggesting the technique is already being used in active fraud operations.
Unlike earlier UPI scams that relied on modified or fake payment apps, Digital Lutera operates by manipulating the Android operating system itself while leaving the banking application unchanged. Because the original app remains intact, it continues to pass digital signature checks and security scans, making the fraud more difficult to detect.
CloudSEK said the attack typically begins when victims install a malicious Android application disguised as a legitimate file, such as a traffic fine notification or a wedding invitation. Once installed, the malware gains access to SMS permissions on the device.
Attackers then use specialized Android framework tools on their own devices to manipulate system-level identity and messaging functions. Registration messages intended for banks are intercepted, while one-time passwords are silently forwarded to Telegram channels controlled by the attackers.
The technique allows fraudsters to register and control a victim’s UPI account on a different device even though the victim’s SIM card remains in their phone, undermining the widely used SIM-binding security mechanism.
Researchers say this represents a shift in cybercrime tactics from app-level tampering to system-level manipulation, making traditional security checks less effective.
Shobhit Mishra said the discovery signals a deeper structural threat to device trust in mobile payments.
He warned that if attackers can manipulate the operating system to spoof SMS and identity verification processes, they could intercept OTPs, reset UPI PINs and execute fraudulent transactions at scale.
CloudSEK has reported its findings to regulators and financial institutions as part of responsible disclosure, urging them to adopt stronger safeguards such as hardware-backed device verification and enhanced backend validation.
The company also warned that relying solely on SMS-based SIM verification may no longer be sufficient as fraud techniques evolve and organized cybercriminal groups develop more sophisticated tools targeting India’s rapidly expanding digital payments ecosystem.
According to CloudSEK researchers, the toolkit is being distributed through underground Telegram channels where cybercriminals share tools and coordinate fraudulent activity. The firm said it identified at least 20 Telegram groups with more than 100 members each discussing and deploying the toolkit.
In one group alone, investigators observed transactions worth ₹25–30 lakh carried out within just two days, suggesting the technique is already being used in active fraud operations.
Unlike earlier UPI scams that relied on modified or fake payment apps, Digital Lutera operates by manipulating the Android operating system itself while leaving the banking application unchanged. Because the original app remains intact, it continues to pass digital signature checks and security scans, making the fraud more difficult to detect.
CloudSEK said the attack typically begins when victims install a malicious Android application disguised as a legitimate file, such as a traffic fine notification or a wedding invitation. Once installed, the malware gains access to SMS permissions on the device.
Attackers then use specialized Android framework tools on their own devices to manipulate system-level identity and messaging functions. Registration messages intended for banks are intercepted, while one-time passwords are silently forwarded to Telegram channels controlled by the attackers.
The technique allows fraudsters to register and control a victim’s UPI account on a different device even though the victim’s SIM card remains in their phone, undermining the widely used SIM-binding security mechanism.
Researchers say this represents a shift in cybercrime tactics from app-level tampering to system-level manipulation, making traditional security checks less effective.
Shobhit Mishra said the discovery signals a deeper structural threat to device trust in mobile payments.
He warned that if attackers can manipulate the operating system to spoof SMS and identity verification processes, they could intercept OTPs, reset UPI PINs and execute fraudulent transactions at scale.
CloudSEK has reported its findings to regulators and financial institutions as part of responsible disclosure, urging them to adopt stronger safeguards such as hardware-backed device verification and enhanced backend validation.
The company also warned that relying solely on SMS-based SIM verification may no longer be sufficient as fraud techniques evolve and organized cybercriminal groups develop more sophisticated tools targeting India’s rapidly expanding digital payments ecosystem.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
