Digital Lutera: UPI Accounts Hijacked

India faces a new threat, "Digital Lutera," targeting UPI accounts and bypassing SIM security.
The toolkit exploits Android’s LSPosed framework, intercepting OTPs via SMS and enabling fraudulent transactions; Rs 30 lakh transacted in 2 days.
NPCI assures users of existing security but warns of ongoing vigilance needed as SIM binding is bypassed.

Summarized by AI ⓘ

Today In India

SEE ALL

Feedpost Digest

Arcturus COVID Variant Spreading: Key Symptoms to Watch For

News18

Blinkit Ambulance Reaches In 4 Minutes, Rushes Patient To Gurugram Hospital: ‘Lifesaver Indeed’

Feedpost Digest

AP Launches Free FMD Vaccination Drive for Cattle & Buffaloes: A Shield Against Economic Loss

What is the story about?

A new digital threat called Digital Lutera is emerging in India, targeting UPI accounts and bypassing SIM security. Learn how this toolkit operates and the implications for mobile payment safety.

Sophisticated Hijacking Threat

Cybercriminals in India have developed a potent new toolkit, identified as "Digital Lutera"—a name translating to "digital robber" in Hindi. This sophisticated

tool is designed to silently compromise Unified Payments Interface (UPI) accounts by exploiting vulnerabilities that bypass recently implemented SIM-binding security protocols. According to cybersecurity firm CloudSEK, this malicious software is being actively distributed and coordinated across more than 20 Telegram groups, each boasting over 100 members. Within these groups, fraudulent financial activities are orchestrated in real-time, demonstrating the alarming efficiency and reach of this operation. A single Telegram group, for instance, facilitated transactions totaling up to Rs 30 lakh in just two days, underscoring the significant financial damage that can be inflicted by this evolving threat landscape.

Exploiting System Functions

Unlike traditional banking malware that directly targets payment applications, Digital Lutera operates at a deeper system level on Android devices. It leverages the LSPosed framework, a powerful tool that allows custom modules to be injected into the Android runtime environment, granting it the ability to intercept critical SMS messages. The infiltration begins when a user is tricked into installing a malicious APK file. These files are often disguised as legitimate communications, such as traffic challan notices or wedding invitations, and are typically distributed via WhatsApp or SMS. Once installed, the rogue application requests and obtains permissions to read and write SMS messages, operating discreetly in the background. When a bank dispatches a one-time password (OTP) to the victim's device for a transaction, the malware intercepts this sensitive code and transmits it directly to the attacker via Telegram. This stolen OTP, combined with a tampered version of the UPI application on the attacker's own device, allows them to generate a device binding token. Crucially, because the verification message originates from the victim's actual SIM card, telecommunication networks and financial institutions perceive it as authentic, thereby bypassing security checks.

Gaining Control

With the intercepted OTP and the specially modified UPI application, the attacker gains the ability to reset the victim's UPI PIN. This grants them complete unauthorized access and control over the victim's payment account. The alarming aspect of this attack is that the victim's SIM card never leaves their physical possession, making the compromise even more insidious. The emergence of Digital Lutera highlights a critical gap in current security strategies, as financial systems still rely heavily on mobile numbers as a primary indicator of device ownership. This assumption is precisely what the Digital Lutera toolkit is engineered to exploit, demonstrating a sophisticated understanding of the security architecture of mobile payment systems. The continuous evolution of cyber threats necessitates a constant re-evaluation and enhancement of existing security protocols to stay ahead of these novel attack vectors.

Official Response and Safeguards

In response to these findings, CloudSEK proactively shared its discoveries with relevant financial institutions and governmental authorities prior to the public release of its report. The National Payments Corporation of India (NPCI) issued a statement emphasizing that "robust checks and safeguards are already in place to address such risks." The NPCI further reassured users that "UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure." This toolkit's surfacing occurs shortly after the Department of Telecommunications instituted a mandate for SIM binding across messaging and financial platforms. This measure was intended to fortify account security by ensuring that UPI applications are exclusively linked to the SIM card present in the user's primary device. However, as security researchers point out, the success of attacks like Digital Lutera underscores the ongoing challenge of verifying device ownership effectively, even with such safeguards in place, indicating a continued need for vigilance and evolving security strategies.