Online fraudsters are using new technology that bypasses security features of UPI apps to carry out financial transactions, cyber intelligence firm CloudSEK claimed in a report.
According to the report, the firm has identified at least 20 active groups on messaging platform Telegram, each with over 100 members, where a toolkit by the name of "Digital Lutera" is being discussed, distributed, and operationalised.
"This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable. If left unaddressed, this could industrialize account takeovers at scale across the digital payments ecosystem," CloudSEK, Threat Researcher, Shobhit Mishra said.
2 March 2026
Get the latest issue of Outlook Business
CloudSEK claims to have done an analysis of one such group alone which indicates that transactions worth Rs 25 -30 lakh were processed over just two days, highlighting how quickly the fraud model is scaling and the number of victims' connections.
An email query sent to National Payments Corporation of India in this regard remained unanswered.
SIM-binding has been treated as a proof that a bank account is securely tied to a specific device. UPI apps process transactions after verifying the SIM of the phone number with which the account associated with it is installed in the mobile phone.
CloudSEK said the attack typically begins when a user unknowingly installs a malicious APK disguised as something routine, such as a traffic fine notice or a wedding invitation. Once installed, the malware gains access to the victim’s phone's SMS permissions.
Once the Digital Lutera tool kit is installed , attackers use a specialised Android framework tool on their own device to manipulate system-level identity and SMS functions. The attacker is then able to intercept registration messages meant for the banks and OTPs are silently forwarded to Telegram channels controlled by the attackers.
“Fake “sent” SMS entries are inserted into the phone’s message records to make everything appear legitimate. The result is disturbing: a victim’s UPI account can be registered and controlled on a completely different device — even though the actual SIM card never leaves the victim’s phone,” the report said.
The cyber intelligence firm said that after manipulating the android device, it makes the UPI app believe that messages for verification have genuinely emanated from the smartphone. CloudSEK said that it has informed relevant regulators and financial institutions to help them prepare and take proactive mitigation measures as part of responsible disclosure.
