-
CloudSEK Research Reveals How AI Summarising Tools Can Be Tricked Using Prompt Injection-Based Attacks26 August 2025 -
CloudSEK Researchers Expose Social Media-Based Counterfeit Currency Network, Unmasks Perpetrators24 July 2025
-
CloudSEK Raises $19 Million in Latest Funding Round, Plans to Scale AI Models and Platform Integration19 May 2025
-
CloudSEK Identifies Large-Scale 'PrintSteal' Fake KYC Document Generation Scam in India6 March 2025
-
Cybercrimes Could Cost India Rs. 20,000 Crore Due to Brand Abuse and Fake Domains in 2025: CloudSEK28 February 2025
- Home
- Internet
- Internet News
- Researchers Discover 'Digital Lutera' Android Toolkit That Can Hijack UPI Accounts; NPCI Responds
Researchers Discover 'Digital Lutera' Android Toolkit That Can Hijack UPI Accounts; NPCI Responds
Victims may remain unaware that their UPI account has been taken over on another device as the attack happens silently, as per researchers.
Written by Shaurya Tomer, Edited by David Delima | Updated: 11 March 2026 16:23 IST
Photo Credit: CloudSEK
The toolkit is designed to bypass restrictions by directly targeting the Android OS
Click Here to Add Gadgets360 As A Trusted Source
Advertisement
The government recently enforced a SIM-binding mandate for messaging and financial platforms, intending to curb digital fraud and identity misuse. As per the Department of Telecommunications (DoT), this move is meant to ensure that services like messaging platforms and UPI apps are linked to the SIM card on the user's primary device, reducing the ease of account takeover. Cybersecurity researchers have now identified a toolkit designed to bypass these restrictions by directly targeting the Android operating system, intercepting messages and accessing the victims' UPI accounts by spoofing the authorisation process and tricking the system into thinking it is legitimate.
Update (March 11, 4:20pm): This article has been updated to reflect a statement from the National Payments Corporation of India (NPCI) in response to CloudSEK's report, and the headline has been updated accordingly.
What Is the “Digital Lutera” Toolkit
Researchers at cybersecurity firm CloudSEK have identified a fraud toolkit named Digital Lutera, which enables cybercriminals to bypass the recently introduced SIM-based verification mechanism used for digital payment systems in India. Digital Lutera has been identified by researchers using findings provided by the cybersecurity firm named CloudSEK. This fraud toolkit is used to bypass digital payment systems using UPI-linked bank accounts and SMS-based OTP verification.
Unlike traditional malware that directly targets banking apps, Digital Lutera works by modifying system-level behaviour on Android devices, as per the firm. The toolkit is claimed to use LSPosed, a framework that enables the injection of custom modules into the Android runtime environment. With LSPosed, system functions can be intercepted, including those responsible for handling incoming SMS messages.
CloudSEK found that the malware toolkit is being spread via Telegram groups, where attackers share information about financial fraud operations. Researchers found over 20 Telegram groups, each of which has several members.
How the Attack Happens
The attack relies on altering Android's system behaviour rather than breaking into the payment app itself. According to CloudSEK, it takes place in multiple phases. It begins when the victim unknowingly installs a malicious Android application, often disguised as something harmless, such as a traffic challan notice or a wedding invitation APK.
These Trojanised apps request permissions such as Read and Write SMS. The malware is said to run silently in the background and forward incoming verification messages to the attacker through LSPosed modules. Using this access, the attacker tries to log in to the victim's account through a modified version of the app on his/her own device.
Once the service sends an OTP to log in to the victim's account to the victim's phone number, it is intercepted by the Trojan and forwarded to the attacker. The app then generates a device binding token, which is commonly used by banks to verify the legitimacy of the device.
Because the message originates from the victim's SIM card, the telecom network automatically identifies it as legitimate, the cybersecurity firm noted. Once the device is successfully linked, CloudSEK said the attacker can trigger a UPI PIN reset request. This allows the attacker to set a new UPI PIN and gain full control of the victim's payment account, enabling unauthorised transactions.
Researchers say the attack works because many financial systems rely on the mobile number provided by telecom networks as proof of device ownership. As per the firm, victims may remain unaware that their UPI account has been registered or accessed on another device as the attack happens silently.
CloudSEK said it had responsibly disclosed its findings to financial institutions and authorities to help them come up with mitigation strategies, before its report was published.
The National Payments Corporation of India (NPCI) responded to the claims made by CloudSEK. In a statement provided to Gadgets 360 on Wednesday, a spokesperson for the organisation said:
“This is in reference to recent media reports citing a report on certain fraud-related modus operandi using latest technology to bypass UPI device binding.
NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure.
NPCI continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users.”
Comments
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.
Related Stories
Researchers Discover 'Digital Lutera' Android Toolkit That Can Hijack UPI Accounts; NPCI Responds
Advertisement
Follow Us
-
04:54
Redmi Note 15 Review: Features, Specifications, Pros, Cons, And Everything Else -
04:50
Mercedes V-Class First Impressions: Tech, Comfort & Executive Luxury -
04:34
Apple's Surprise March Launches! iPhone 17e, M5 Macs & MacBook Neo -
02:58
What Punch Taught Us at Tech360 about Mental Health! -
04:38
Realme 16 Pro Review | Camera, Performance & Battery Test | Best Mid-Range Phone?
Advertisement
Popular on Gadgets
- Samsung Galaxy Unpacked 2026
- iPhone 17 Pro Max
- ChatGPT
- iOS 26
- Laptop Under 50000
- Smartwatch Under 10000
- Apple Vision Pro
- Oneplus 12
- OnePlus Nord CE 3 Lite 5G
- iPhone 13
- Xiaomi 14 Pro
- Oppo Find N3
- Tecno Spark Go (2023)
- Realme V30
- Best Phones Under 25000
- Samsung Galaxy S24 Series
- Cryptocurrency
- iQoo 12
- Samsung Galaxy S24 Ultra
- Giottus
- Samsung Galaxy Z Flip 5
- Apple 'Scary Fast'
- Housefull 5
- GoPro Hero 12 Black Review
- Invincible Season 2
- JioGlass
- HD Ready TV
- Latest Mobile Phones
- Compare Phones
Latest Gadgets
- Vivo Y51 Pro 5G
- Itel Zeno 100
- Poco C85x 5G
- Realme Note 80
- Vivo V70 FE
- Realme C83 5G
- Nothing Phone 4a Pro
- Infinix Note 60 Ultra
- MacBook Neo
- MacBook Pro 16-Inch (M5 Max, 2026)
- Tecno Megapad 2
- Apple iPad Air 13-Inch (2026) Wi-Fi + Cellular
- Tecno Watch GT 1S
- Huawei Watch GT Runner 2
- Xiaomi QLED TV X Pro 75
- Haier H5E Series
- Asus ROG Ally
- Nintendo Switch Lite
- Haier 1.6 Ton 5 Star Inverter Split AC (HSU19G-MZAID5BN-INV)
- Haier 1.6 Ton 5 Star Inverter Split AC (HSU19G-MZAIM5BN-INV)
- About Us
- Sitemaps
- Feedback
- Archives
- Contact Us
- RSS
- Advertise
- Career
- Privacy Policy
- Ethics
- Editorial Policy
- Terms & Conditions
- Complaint Redressal
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.
