The National Payments Corporation of India (NPCI) has denied claims that “Digital Lutera”, a fraud toolkit, can allow hackers to to bypass the SIM-binding security feature in India's UPI system.
"NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure. NPCI continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users," the nodal payments body said in a release.
“Digital Lutera” is currently circulating on Telegram. According to reports, the tool allows attackers to bypass the SIM-binding security feature in India's UPI system without altering banking or payment apps. This enables a victim's UPI account to be registered and controlled on an entirely different device, which can lead to funds being siphoned off a victim's account, according to a report by cybersecurity company CloudSEK.
CloudSEK's research has identified at least 20 active Telegram groups, each containing over 100 members, where the toolkit is discussed, shared, and put into use. In one group, transactions totalling Rs 25-30 lakhs were processed in just two days.
How Does ‘Digital Lutera' Work?
India's UPI relies on SIM-binding, which assumes that the physical presence of a SIM card in a phone means the device can be trusted by the bank. Digital Lutera challenges this assumption. The attack often starts when a victim installs a malicious APK disguised as something ordinary, such as a traffic fine notice or wedding invitation. Once installed, the malware obtains SMS permissions on the victim's phone.
Attackers then use a specialised Android framework tool on their own device to alter system-level identity and SMS operations. As per CloudSEK, registration messages intended for the bank are intercepted, OTPs are forwarded to attacker-controlled Telegram channels, and fake “sent” SMS entries are added to the victim's message history to make things appear legitimate.
This enables a victim's UPI account to be registered and controlled on an entirely different device, even though the victim's SIM card remains in their phone.
CloudSEK has observed Telegram groups coordinating real-time login attempts using this method, indicating active deployment in live fraud operations.
Why Is ‘Digital Lutera' Dangerous?
Earlier scams modified banking apps, which made detection easier. Digital Lutera leaves the app untouched, allowing security checks to pass normally. The deception occurs within the operating system, so the app appears genuine but “the phone has been manipulated to lie,” writes CloudSEK.
UPI handles billions of transactions monthly, and SIM-binding has been viewed as proof that an account is tied to a specific device. CloudSEK warns that this assumption may no longer hold. Attackers who spoof system-level SMS and identity verification can intercept OTPs, reset UPI PINs, and carry out fraudulent transactions instantly.
CloudSEK's investigation links the toolkit to an actor operating in Indian underground Telegram communities. The individual appears to have explored ways to bypass advanced anti-fraud protections used by major Indian banks.
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.