UPI apps under threat from 'Digital Lutera': What is it?
What's the story
Cyber intelligence firm CloudSEK has flagged a new threat to Unified Payments Interface (UPI) apps. The company says that online fraudsters are using advanced technology to bypass the security features of these apps and carry out financial transactions. The report highlights at least 20 active groups on Telegram, each with over 100 members, discussing and distributing a toolkit called "Digital Lutera."
Toolkit
Digital Lutera is structural attack on device trust
CloudSEK's Threat Researcher, Shobhit Mishra, explained that Digital Lutera isn't just another UPI malware variant. He said it is a structural attack on device trust. This means that when the operating system itself is manipulated, traditional safeguards such as SIM-binding and app signature checks become unreliable. If not addressed, this could lead to large-scale account takeovers across the digital payments ecosystem.
Fraud growth
Rapid scaling of this fraud model
CloudSEK's analysis of one such group revealed that transactions worth ₹25-30 lakh were processed in just two days. This highlights the rapid scaling of this fraud model and the number of victims it has connected with. The firm also explained how these attacks typically begin when a user unknowingly installs a malicious APK disguised as something routine, like a traffic fine notice or wedding invitation.
Attack method
Attackers intercept registration messages meant for banks
Once the Digital Lutera toolkit is installed, attackers use a specialized Android framework tool on their device to manipulate system-level identity as well as SMS functions. This permits them to intercept registration messages meant for banks, with OTPs silently forwarded to Telegram channels controlled by the attackers. Fake 'sent' SMS entries are inserted into the phone's message records to make everything appear legitimate.
Account takeover
Responsible disclosure to regulators, financial institutions
The report said that after manipulating the Android handset, it makes the UPI app believe that messages for verification have genuinely come from the smartphone. This means a victim's UPI account can be registered and also controlled on a completely different device, even though the actual SIM card never leaves their phone. CloudSEK has informed relevant regulators and financial institutions about this threat as part of responsible disclosure.