Victims may remain unaware that their UPI account has been taken over on another device as the attack happens silently, as per researchers.
The toolkit is designed to bypass restrictions by directly targeting the Android OS
Photo Credit: CloudSEK
The government recently enforced a SIM-binding mandate for messaging and financial platforms, intending to curb digital fraud and identity misuse. As per the Department of Telecommunications (DoT), this move is meant to ensure that services like messaging platforms and UPI apps are linked to the SIM card on the user's primary device, reducing the ease of account takeover. Cybersecurity researchers have now identified a toolkit designed to bypass these restrictions by directly targeting the Android operating system, intercepting messages and accessing the victims' UPI accounts by spoofing the authorisation process and tricking the system into thinking it is legitimate.
Update (March 11, 4:20pm): This article has been updated to reflect a statement from the National Payments Corporation of India (NPCI) in response to CloudSEK's report, and the headline has been updated accordingly.
Researchers at cybersecurity firm CloudSEK have identified a fraud toolkit named Digital Lutera, which enables cybercriminals to bypass the recently introduced SIM-based verification mechanism used for digital payment systems in India. Digital Lutera has been identified by researchers using findings provided by the cybersecurity firm named CloudSEK. This fraud toolkit is used to bypass digital payment systems using UPI-linked bank accounts and SMS-based OTP verification.
Unlike traditional malware that directly targets banking apps, Digital Lutera works by modifying system-level behaviour on Android devices, as per the firm. The toolkit is claimed to use LSPosed, a framework that enables the injection of custom modules into the Android runtime environment. With LSPosed, system functions can be intercepted, including those responsible for handling incoming SMS messages.
CloudSEK found that the malware toolkit is being spread via Telegram groups, where attackers share information about financial fraud operations. Researchers found over 20 Telegram groups, each of which has several members.
The attack relies on altering Android's system behaviour rather than breaking into the payment app itself. According to CloudSEK, it takes place in multiple phases. It begins when the victim unknowingly installs a malicious Android application, often disguised as something harmless, such as a traffic challan notice or a wedding invitation APK.
These Trojanised apps request permissions such as Read and Write SMS. The malware is said to run silently in the background and forward incoming verification messages to the attacker through LSPosed modules. Using this access, the attacker tries to log in to the victim's account through a modified version of the app on his/her own device.
Once the service sends an OTP to log in to the victim's account to the victim's phone number, it is intercepted by the Trojan and forwarded to the attacker. The app then generates a device binding token, which is commonly used by banks to verify the legitimacy of the device.
Because the message originates from the victim's SIM card, the telecom network automatically identifies it as legitimate, the cybersecurity firm noted. Once the device is successfully linked, CloudSEK said the attacker can trigger a UPI PIN reset request. This allows the attacker to set a new UPI PIN and gain full control of the victim's payment account, enabling unauthorised transactions.
Researchers say the attack works because many financial systems rely on the mobile number provided by telecom networks as proof of device ownership. As per the firm, victims may remain unaware that their UPI account has been registered or accessed on another device as the attack happens silently.
CloudSEK said it had responsibly disclosed its findings to financial institutions and authorities to help them come up with mitigation strategies, before its report was published.
The National Payments Corporation of India (NPCI) responded to the claims made by CloudSEK. In a statement provided to Gadgets 360 on Wednesday, a spokesperson for the organisation said:
“This is in reference to recent media reports citing a report on certain fraud-related modus operandi using latest technology to bypass UPI device binding.
NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure.
NPCI continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users.”
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.