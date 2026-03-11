HOME NEWS BUSINESS MOVIES CRICKET SPORTS GET AHEAD REDIFF-TV
Follow Rediff on:
Home  » News » Beware: 'Digital Lutera' toolkit targets UPI users, warns cyber firm

Beware: 'Digital Lutera' toolkit targets UPI users, warns cyber firm

Source: PTI   -  Edited By: Senjo M R
3 Minutes Read Listen to Article

March 11, 2026 14:54 IST

x

The new sophisticated UPI fraud toolkit is enabling cybercriminals to bypass security measures and steal funds by manipulating system-level functions on Android devices, warns cybersecurity firm CloudSEK.

IMAGE: Kindly note that this image has been posted for representational purposes only. Photograph: Pixabay.com

Key Points

  • The toolkit manipulates the operating system, making traditional security measures like SIM-binding and app signature checks unreliable.
  • Attackers use malicious APKs to gain access to SMS permissions and intercept registration messages and OTPs.
  • Compromised UPI accounts can be registered and controlled on different devices without the victim's SIM card being removed.
  • Transactions worth Rs 25-30 lakh were processed over just two days in one group alone, highlighting the rapid scaling of this fraud model.

Online fraudsters are using new technology that bypasses security features of UPI apps to carry out financial transactions, cyber intelligence firm CloudSEK claimed in a report.

According to the report, the firm has identified at least 20 active groups on messaging platform Telegram, each with over 100 members, where a toolkit by the name of "Digital Lutera" is being discussed, distributed, and operationalised.

 

"This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable. If left unaddressed, this could industrialize account takeovers at scale across the digital payments ecosystem," CloudSEK, Threat Researcher, Shobhit Mishra said.

CloudSEK claims to have done an analysis of one such group alone which indicates that transactions worth Rs 25 -30 lakh were processed over just two days, highlighting how quickly the fraud model is scaling and the number of victims' connections.

An email query sent to National Payments Corporation of India in this regard remained unanswered.

How 'Digital Lutera' bypasses UPI security

SIM-binding has been treated as a proof that a bank account is securely tied to a specific device. UPI apps process transactions after verifying the SIM of the phone number with which the account associated with it is installed in the mobile phone.

CloudSEK said the attack typically begins when a user unknowingly installs a malicious APK disguised as something routine, such as a traffic fine notice or a wedding invitation. Once installed, the malware gains access to the victim's phone's SMS permissions.

Once the Digital Lutera tool kit is installed , attackers use a specialised Android framework tool on their own device to manipulate system-level identity and SMS functions. The attacker is then able to intercept registration messages meant for the banks and OTPs are silently forwarded to Telegram channels controlled by the attackers.

"Fake "sent" SMS entries are inserted into the phone's message records to make everything appear legitimate. The result is disturbing: a victim's UPI account can be registered and controlled on a completely different device - even though the actual SIM card never leaves the victim's phone," the report said.

The cyber intelligence firm said that after manipulating the android device, it makes the UPI app believe that messages for verification have genuinely emanated from the smartphone. CloudSEK said that it has informed relevant regulators and financial institutions to help them prepare and take proactive mitigation measures as part of responsible disclosure.

Source: PTI  -  Edited By: Senjo M R© Copyright 2026 PTI. All rights reserved. Republication or redistribution of PTI content, including by framing or similar means, is expressly prohibited without the prior written consent.

RELATED STORIES

Digital Arrest Scams: What You Must Know
Digital Arrest Scams: What You Must Know
Delhiites lose nearly Rs 1,000 cr to cyber fraud this year
Delhiites lose nearly Rs 1,000 cr to cyber fraud this year
CBI chargesheets 17 in Rs 1,000-cr cyber fraud case
CBI chargesheets 17 in Rs 1,000-cr cyber fraud case
Dr Reddy's Laboratories loses Rs 2.16 cr in cyber fraud
Dr Reddy's Laboratories loses Rs 2.16 cr in cyber fraud
Largest 'digital arrest' fraud: Mumbai bizman loses Rs 58 cr
Largest 'digital arrest' fraud: Mumbai bizman loses Rs 58 cr

WEB STORIES

webstory image 1

10-Min Probiotic Recipe: Bhaat Kanji

webstory image 2

Ramzan Feasting: 12 More Heavenly Street Foods

webstory image 3

9 Beautiful Historic Mosques Of India

VIDEOS

Watch: US Says It Destroyed 16 Iranian Mine-Laying Boats Near Hormuz Strait0:35

Watch: US Says It Destroyed 16 Iranian Mine-Laying Boats...

Watch: PM Modi holds road show in Ernakulam1:31

Watch: PM Modi holds road show in Ernakulam

Mrunal Thakur Steals the Spotlight in a Bold Black Style Moment0:39

Mrunal Thakur Steals the Spotlight in a Bold Black Style...

rediff on the net © 2026 Rediff.com - Investor Information - Advertise with us - Disclaimer - Privacy Policy - Sitemap - Feedback - About us - Terms of use - Grievances

NEWS

BUSINESS

MOVIES

CRICKET

SPORTS

GET AHEAD

REDIFF MONEY

REDIFF-TV

REDIFF ASTRO