How does 'Digital Lutera' attack your UPI account?

Cybercriminals in India have developed a toolkit capable of silently hijacking victims' Unified Payments Interface accounts by circumventing recently introduced SIM-binding security measures, according to a report published this week by cybersecurity firm CloudSEK.
The toolkit, named "Digital Lutera" -- Hindi for "digital robber" -- is being openly distributed across more than 20 active Telegram groups, each with over 100 members, where fraud operations are coordinated in real time.
CloudSEK's investigation found that transactions worth up to Rs 30 lakh were processed within just two days inside a single Telegram group, underscoring the scale and speed of the financial damage.
How the Attack Works
Unlike conventional banking malware, Digital Lutera does not target payment apps directly. Instead, it manipulates system-level functions on Android devices using LSPosed, a framework that injects custom modules into the Android runtime environment to intercept SMS messages.
The attack begins when a victim unknowingly installs a malicious APK file -- often disguised as a traffic challan notice or a wedding invitation -- shared via WhatsApp or SMS.
Once installed, the app requests SMS read and write permissions and runs silently in the background. When the victim's bank sends a one-time password, the malware intercepts it and forwards it to the attacker via Telegram.
Using the stolen OTP and a modified version of the UPI app on their own device, the attacker generates a device binding token.
Because the verification message originates from the victim's actual SIM card, telecom networks and banks treat it as legitimate. The attacker can then reset the victim's UPI PIN and gain full control of the payment account -- all while the SIM never leaves the victim's phone.
Also read | War goes cyber: Did Iran hackers launch a cyberattack on US medical giant Stryker?
Authorities Respond
CloudSEK said it disclosed its findings to financial institutions and authorities before publishing the report. The National Payments Corporation of India responded, stating that "robust checks and safeguards are already in place to address such risks" and that "UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure."
The toolkit's emergence comes shortly after the Department of Telecommunications mandated SIM binding for messaging and financial platforms, a measure intended to prevent account takeover by ensuring UPI apps are tied to the SIM card in the user's primary device.
Security researchers warn that the attack succeeds precisely because financial systems continue to treat mobile numbers as sufficient proof of device ownership -- an assumption Digital Lutera is designed to exploit.