Concerns over digital payment security have emerged after cybersecurity researchers uncovered a new fraud toolkit that can bypass recently introduced SIM-based verification systems. The discovery comes shortly after the Department of Telecommunications enforced a SIM-binding mandate aimed at reducing digital fraud and identity misuse on messaging and financial platforms.
The rule requires services such as messaging platforms and UPI apps to remain linked to the SIM card on a user’s primary device. The goal is to make account takeovers more difficult. However, researchers have now identified a toolkit that can intercept messages and access victims’ UPI-linked accounts by spoofing the authorisation process and making the system believe the request is legitimate.
Cybersecurity firm CloudSEK has identified the toolkit, named Digital Lutera. According to the firm, it allows cybercriminals to bypass SIM-based verification mechanisms used in India’s digital payment ecosystem. The toolkit targets UPI-linked bank accounts and systems that rely on SMS-based OTP verification.
Unlike typical malware that attacks banking apps directly, Digital Lutera changes system-level behaviour on Android devices. Researchers said the toolkit uses LSPosed, a framework that allows custom modules to be injected into the Android runtime environment. This enables attackers to intercept key system functions, including those that manage incoming SMS messages.
CloudSEK also discovered that the toolkit is being circulated through Telegram groups used by fraud networks. Researchers identified more than 20 such groups, each with several members sharing information related to financial fraud operations.
The attack typically begins when a victim unknowingly installs a malicious Android application. These apps are often disguised as harmless files, such as a traffic challan notice or a wedding invitation APK. Once installed, the apps request permissions like Read and Write SMS.
After receiving access, the malware runs quietly in the background and forwards incoming verification messages to attackers using LSPosed modules. With this information, attackers attempt to log in to the victim’s account using a modified version of the app on their own device.
When a login OTP is sent to the victim’s phone number, the Trojan intercepts the message and forwards it to the attacker. The system then generates a device binding token used by banks to confirm device authenticity. Since the message originates from the victim’s SIM card, telecom networks recognise it as legitimate.
Once the device is linked, attackers can request a UPI PIN reset. This allows them to create a new PIN and gain full control of the victim’s payment account, enabling unauthorised transactions.
Researchers say such attacks succeed because many financial systems rely on the mobile number provided by telecom networks as proof of device ownership. Victims may remain unaware that their UPI account has been accessed or registered on another device because the process happens silently.
CloudSEK said it responsibly shared its findings with financial institutions and authorities before publishing the report.
Responding to the claims, the National Payments Corporation of India issued a statement saying:
“This is in reference to recent media reports citing a report on certain fraud-related modus operandi using latest technology to bypass UPI device binding.
NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure.
NPCI continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
