Bengaluru, Mar 11: CloudSEK has exposed a new fraud toolkit called “Digital Lutera” that is spreading rapidly across Telegram, enabling attackers to bypass UPI’s SIM-binding security without modifying banking or payment apps.
CloudSEK’s research has identified at least 20 active Telegram groups, each with over 100 members, where this toolkit is being discussed, distributed, and operationalised. An analysis of one such group alone indicates that transactions worth ₹25-30 Lakhs were processed over just two days, highlighting how quickly the fraud model is scaling and the number of victims’ connections.
Unlike earlier UPI scams that relied on tampered payment apps, Digital Lutera operates at the Android operating system level. The banking app itself remains completely original and digitally valid, passing signature checks and security scans — while the operating system underneath is manipulated to deceive it.
As part of responsible disclosure, CloudSEK has informed relevant regulators and financial institutions to help them prepare and take proactive mitigation measures.
Security researchers say this marks a significant escalation in India’s digital payment threat landscape, shifting fraud from app-level tampering to system-level manipulation.
How Digital Lutera Works
India’s UPI system relies heavily on SIM-binding — the idea that if a SIM card is physically present in a phone, the bank can trust that device.
Digital Lutera challenges that assumption.
The attack typically begins when a user unknowingly installs a malicious APK disguised as something routine, such as a traffic fine notice or a wedding invitation. Once installed, the malware gains access to the victim’s phone’s SMS permissions.
From there, attackers use a specialised Android framework tool on their own device to manipulate system-level identity and SMS functions. Registration messages meant for the bank are intercepted. OTPs are silently forwarded to Telegram channels controlled by the attackers. Fake “sent” SMS entries are inserted into the phone’s message records to make everything appear legitimate.
The result is disturbing: a victim’s UPI account can be registered and controlled on a completely different device — even though the actual SIM card never leaves the victim’s phone.
CloudSEK researchers have observed Telegram groups actively coordinating login attempts using this framework, suggesting that the technique is already being used in real-world fraud operations.
From App Hacking to System Manipulation
What makes Digital Lutera different is where it operates.
Earlier fraud campaigns relied on modifying banking apps. That made them easier to detect because the app’s digital signature would change.
Digital Lutera avoids that risk entirely. The app remains untouched. Security checks pass. Nothing appears unusual at first glance. Instead, the manipulation happens inside the phone’s operating system while the app is running.
Put simply: the app looks legitimate — but the phone has been manipulated to lie.
“This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable. If left unaddressed, this could industrialize account takeovers at scale across the digital payments ecosystem,” said Shobhit Mishra, Threat Researcher, CloudSEK.
Why This Matters
UPI processes billions of transactions every month and forms the backbone of India’s digital payments ecosystem. For years, SIM-binding has been treated as proof that a bank account is securely tied to a specific device.
CloudSEK warns that this assumption may no longer hold.
If attackers can spoof system-level SMS and identity checks, they can intercept OTPs, reset UPI PINs, and execute fraudulent transactions in real time. The technique also has the potential to be distributed as a toolkit, lowering the barrier for organised fraud networks.
Most importantly, the discovery raises a fundamental concern: physical SIM presence alone can no longer be considered reliable proof of device trust.
Who Is Behind It?
CloudSEK’s investigation links the toolkit to an actor operating in Indian underground Telegram communities. The individual appears to have strong reverse engineering expertise and has reportedly explored ways to bypass advanced anti-fraud protections used by major Indian banks.
Researchers believe the actor may have emerged from earlier Android modding communities before moving into organized fintech fraud — reflecting a broader trend where technical skills once used for customization are now being weaponized for financial crime.
What Banks Should Do
CloudSEK recommends that banks strengthen hardware-backed device verification mechanisms and move beyond relying solely on SMS-based SIM-binding. Security controls must assume that device-level SMS confirmation can be manipulated and should incorporate stronger backend validation and runtime integrity checks.
“Digital Lutera is a warning sign of where mobile fraud is headed. We are entering an era where attackers no longer need to break into apps — they manipulate the environment the apps run in. Banks and payment providers must urgently shift toward hardware-backed integrity checks and stronger backend validation models. Security can no longer rely on SMS and SIM presence alone. The future of digital payments depends on rebuilding device trust from the ground up,” said Shobhit Mishra, Threat Researcher, CloudSEK.
