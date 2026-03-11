Technology News
New 'Digital Lutera' Android Toolkit Can Hijack Your UPI Account

Victims may remain unaware that their UPI account has been taken over on another device as the attack happens silently, as per researchers.

Written by Shaurya Tomer, Edited by David Delima | Updated: 11 March 2026 14:33 IST
New 'Digital Lutera' Android Toolkit Can Hijack Your UPI Account

Photo Credit: CloudSEK

The toolkit is designed to bypass restrictions by directly targeting the Android OS

Highlights
  • The Digital Lutera toolkit targets Android devices to bypass SIM checks
  • It is spreading via fake apps shared on Telegram, per researchers
  • CloudSEK says it has reported the threat to authorities
The government recently enforced a SIM-binding mandate for messaging and financial platforms, intending to curb digital fraud and identity misuse. As per the Department of Telecommunications (DoT), this move is meant to ensure that services like messaging platforms and UPI apps are linked to the SIM card on the user's primary device, reducing the ease of account takeover. Cybersecurity researchers have now identified a toolkit designed to bypass these restrictions by directly targeting the Android operating system, intercepting messages and accessing the victims' UPI accounts by spoofing the authorisation process and tricking the system into thinking it is legitimate.

What Is the “Digital Lutera” Toolkit

Researchers at cybersecurity firm CloudSEK have identified a fraud toolkit named Digital Lutera, which enables cybercriminals to bypass the recently introduced SIM-based verification mechanism used for digital payment systems in India. Digital Lutera has been identified by researchers using findings provided by the cybersecurity firm named CloudSEK. This fraud toolkit is used to bypass digital payment systems using UPI-linked bank accounts and SMS-based OTP verification.

Unlike traditional malware that directly targets banking apps, Digital Lutera works by modifying system-level behaviour on Android devices, as per the firm. The toolkit is claimed to use LSPosed, a framework that enables the injection of custom modules into the Android runtime environment. With LSPosed, system functions can be intercepted, including those responsible for handling incoming SMS messages.

CloudSEK found that the malware toolkit is being spread via Telegram groups, where attackers share information about financial fraud operations. Researchers found over 20 Telegram groups, each of which has several members.

How the Attack Happens

The attack relies on altering Android's system behaviour rather than breaking into the payment app itself. According to CloudSEK, it takes place in multiple phases. It begins when the victim unknowingly installs a malicious Android application, often disguised as something harmless, such as a traffic challan notice or a wedding invitation APK.

These Trojanised apps request permissions such as Read and Write SMS. The malware is said to run silently in the background and forward incoming verification messages to the attacker through LSPosed modules. Using this access, the attacker tries to log in to the victim's account through a modified version of the app on his/her own device.

Once the service sends an OTP to log in to the victim's account to the victim's phone number, it is intercepted by the Trojan and forwarded to the attacker. The app then generates a device binding token, which is commonly used by banks to verify the legitimacy of the device.

Because the message originates from the victim's SIM card, the telecom network automatically identifies it as legitimate, the cybersecurity firm noted. Once the device is successfully linked, CloudSEK said the attacker can trigger a UPI PIN reset request. This allows the attacker to set a new UPI PIN and gain full control of the victim's payment account, enabling unauthorised transactions.

Researchers say the attack works because many financial systems rely on the mobile number provided by telecom networks as proof of device ownership. As per the firm, victims may remain unaware that their UPI account has been registered or accessed on another device as the attack happens silently.

CloudSEK said it has responsibly disclosed its findings to financial institutions and authorities to help them come up with mitigation strategies.

Further reading: CloudSEK, Cybersecurity, SIM Binding, DoT
Shaurya Tomer
Shaurya Tomer
Shaurya Tomer is a Sub Editor at Gadgets 360 with 2 years of experience across a diverse spectrum of topics. With a particular focus on smartphones, gadgets and the ever-evolving landscape of artificial intelligence (AI)
Redmi K90 Ultra Tipped to Feature 165Hz Display, Battery Capacity Could Exceed 8,000mAh

