New malware bypassing UPI security: Report

Cybercriminals are using a new malware toolkit to bypass security safeguards in Unified Payments Interface (UPI) applications and conduct fraudulent financial transactions, according to a report by cyber intelligence firm CloudSEK.

The report said several organised groups operating on the messaging platform Telegram are actively sharing and using a toolkit called “Digital Lutera” to carry out such attacks. At least 20 groups, each with more than 100 members, are involved in discussing and distributing the tool.

CloudSEK researchers warned that the malware targets the core trust system of smartphones by manipulating the device’s operating system. This allows attackers to circumvent traditional protections such as SIM-binding and app verification, which are commonly used by UPI apps to ensure secure transactions.

The fraud typically begins when users unknowingly download a malicious Android application disguised as a legitimate message or notification, such as a traffic fine alert or a wedding invitation. Once installed, the malware gains access to SMS permissions on the victim’s phone.

Using a specialised Android framework, attackers can then intercept verification messages sent by banks and capture one-time passwords (OTPs). These sensitive details are automatically forwarded to Telegram channels controlled by the fraudsters.

The manipulation also creates fake “sent” SMS records on the victim’s phone, making the activity appear normal while criminals remotely register and control the victim’s UPI account from another device.

CloudSEK said its analysis of one Telegram group revealed transactions worth Rs 25–30 lakh processed within just two days, highlighting the rapid growth of this fraud method. The firm said it has alerted regulators and financial institutions to help them strengthen safeguards against the threat.