Cyber fraudsters exploit new tech to bypass UPI security, warn CloudSEK report

Cyber fraudsters are using a new technology that can bypass key security features of Unified Payments Interface (UPI) applications to carry out financial transactions, according to a report by cyber intelligence firm CloudSEK . The company has warned that the emerging threat could potentially enable large-scale account takeovers if it remains unchecked.

In its analysis, CloudSEK said it had identified at least 20 active groups on messaging platform Telegram , each with more than 100 members, where a toolkit known as “Digital Lutera” is being discussed, distributed and used to conduct fraudulent operations.

According to Shobhit Mishra, Threat Researcher at CloudSEK , the toolkit represents a deeper structural attack on device-level trust rather than a conventional malware threat. “This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable,” he said, warning that such techniques could industrialise account takeovers across the digital payments ecosystem.

The report noted that one Telegram group analysed by the firm alone indicated that transactions worth ₹25–30 lakh were processed within just two days , underscoring the speed at which the fraud model could scale and the potential number of victims involved.

Typically, the attack begins when a user unknowingly installs a malicious APK file disguised as something routine, such as a traffic challan notice, courier notification or wedding invitation. Once installed, the malware gains permission to access the phone’s SMS messages , allowing attackers to monitor and intercept critical verification communications.

After the malware is installed, the fraudsters use a specialised Android framework tool on their own device to manipulate system-level identity and messaging functions . When banks send registration messages or one-time passwords (OTPs) for UPI verification, the malware captures the messages and silently forwards them to Telegram channels controlled by the attackers.

To avoid detection, the malware also inserts fake “sent” SMS entries in the victim’s message records so that the activity appears legitimate. As a result, the UPI application is misled into believing that verification messages originated from the genuine device.

This allows attackers to register and control a victim’s UPI account on a different device , even though the actual SIM card remains with the user.

CloudSEK said it has informed regulators and financial institutions about the threat as part of responsible disclosure to enable preventive and mitigation measures. An email query sent to the National Payments Corporation of India (NPCI) regarding the findings remained unanswered.