A new toolkit is helping online fraudsters bypass security steps used by UPI apps, according to a CloudSEK report. The cyber intelligence firm said attackers are using system-level tricks to complete bank-linked transactions. CloudSEK also flagged active discussions on Telegram where the toolkit, called Digital Lutera, is shared and used.

CloudSEK said it spotted at least 20 active Telegram groups discussing Digital Lutera. Each group had more than 100 members, the report said. The firm added that the toolkit is being distributed and put to use. It said this indicates a coordinated effort rather than isolated attempts.

UPI security checks targeted by Digital Lutera

"This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable. If left unaddressed, this could industrialize account takeovers at scale across the digital payments ecosystem,\" CloudSEK, Threat Researcher, Shobhit Mishra said.

SIM-binding is often treated as proof that an account is linked to one device. UPI apps usually confirm the SIM connected to the phone number on the bank account. Only after this step do apps allow registration and payments. CloudSEK said the new method aims to weaken that trust check.

Telegram groups drive Digital Lutera misuse and scale

CloudSEK said its review of one such Telegram group showed rapid growth in fraud activity. The firm claimed transactions worth Rs 25 -30 lakh were processed in only two days. CloudSEK said this pointed to quick scaling of the fraud model. The report also highlighted the growing number of victim connections.

CloudSEK said the attack often starts with a user installing a harmful APK. The APK is presented as a normal file, like a traffic fine notice. It can also appear as a wedding invitation, the report said. After installation, the malware gets access to SMS permissions on the victim’s phone.

Digital Lutera method bypasses UPI SIM-binding via SMS control

CloudSEK said that once Digital Lutera is set up, attackers act from their own device. The report said attackers use a specialised android framework tool. That tool is used to alter system identity and SMS behaviour. CloudSEK said the goal is to take control of verification flows without moving the SIM.

CloudSEK said attackers can intercept bank registration messages and OTPs. The report said these OTPs are quietly forwarded to Telegram channels controlled by attackers. It also said fake \"sent SMS\" records are added on the victim’s phone. These changes can make the activity look genuine during checks.

\"The result is disturbing: a victims UPI account can be registered and controlled on a completely different device - even though the actual SIM card never leaves the victims phone,\" the report said. CloudSEK said the modified device then convinces the UPI app. The app believes verification messages truly came from the victim’s phone.

NPCI response on UPI security amid Digital Lutera claims

National Payments Corporation of India NPCI said UPI already has strong safeguards. \"NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure,\" an NPCI statement said.

NPCI said it is working with banks and other partners to track threats. NPCI added that it keeps strengthening security measures across the payments network. CloudSEK said it has shared details with relevant regulators and financial institutions. The firm said this was part of responsible disclosure and risk mitigation.

With inputs from PTI