A sophisticated cyber fraud operation has been identified where attackers are exploiting new technology to bypass security features of UPI apps and execute financial transactions. Cyber intelligence firm CloudSEK reported that cybercriminals are using a toolkit called “Digital Lutera”, which allows them to manipulate the mobile operating system and gain control over users’ bank accounts.
Telegram Groups Fueling Digital Lutera Malware Spread
The report stated that at least 20 active groups on the messaging platform Telegram have been identified, each with over 100 members. Within these groups, the Digital Lutera toolkit is being discussed, shared, and actively deployed for fraudulent purposes.
Shobhit Mishra, Threat Researcher at CloudSEK, said, “Digital Lutera is not just another UPI malware. It represents a structural attack on device trust. When the operating system itself is compromised, traditional safeguards such as SIM-binding and app signature verification become unreliable. If left unaddressed, this could industrialize account takeovers across the digital payments ecosystem.”
How Digital Lutera Executes High-Value UPI Frauds
Analysis of a single group revealed that transactions worth ₹25–30 lakh were processed over just two days, indicating both the speed and scale at which the fraud model operates. An email query sent to the National Payments Corporation of India on the matter went unanswered.
The attack typically begins when a user unknowingly installs a malicious APK disguised as a routine notification, such as a traffic fine alert or wedding invitation. Once installed, the malware gains access to the device’s SMS permissions.
Once the Digital Lutera toolkit is installed, the attackers use a specialized Android framework tool on their own devices to manipulate system-level identity and SMS functions. Registration messages and OTPs sent by banks are silently forwarded to Telegram channels controlled by the fraudsters. Fake “sent” SMS entries are inserted into the victim’s message records, creating the illusion of legitimate transactions.
Regulatory Response and User Protection Tips
The report highlighted that this technique allows the UPI account to be fully registered and controlled on a different device, even though the victim’s SIM card never leaves their phone. CloudSEK stated that regulators and financial institutions have been informed to implement proactive mitigation measures.
Experts noted that this development underscores the growing sophistication of cyber threats targeting digital payment systems. Users are advised to install applications only from trusted sources, never share OTPs or sensitive banking messages, and verify any suspicious requests before proceeding with transactions.
This incident emphasizes the importance of digital financial security and demonstrates how technologically skilled cybercriminals can exploit vulnerabilities to carry out large-scale financial fraud. It also highlights the urgent need for awareness campaigns, vigilant monitoring, and robust user education to prevent similar scams.
Authorities and cybersecurity experts stress that adopting multi-layered security measures, limiting online exposure, and maintaining strict verification protocols remain the most effective defenses against evolving digital payment frauds.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
