- By Alex David
- Sun, 15 Mar 2026 11:58 PM (IST)
- Source:JND
The government recently implemented a SIM-binding mandate for messaging and financial platforms to curb digital fraud and identity misuse. The Department of Telecommunications (DoT) introduced this rule to ensure that services such as messaging platforms and UPI apps are linked to the SIM card on a user's primary device. However, cybersecurity researchers have identified a toolkit that reportedly bypasses these restrictions by targeting Android devices and intercepting authentication messages.
Fraud Toolkit ‘Digital Lutera’ Identified by CloudSEK
Cybersecurity researchers at CloudSEK have discovered a fraud toolkit called Digital Lutera, which allegedly allows cybercriminals to bypass SIM-based verification mechanisms used in digital payment systems in India.
According to the firm, the toolkit enables attackers to access UPI-linked bank accounts and intercept SMS-based OTP verification without directly attacking banking applications.
Unlike traditional malware, Digital Lutera modifies system-level behaviour on Android devices.
ALSO READ: Samsung Browser May Get Multi-Window, AI Assistant And Cross-Device Resume With One UI 9
Key Technical Mechanism
Component | Description |
LSPosed Framework | Allows injection of custom modules into Android’s runtime environment |
SMS Interception | Enables attackers to intercept incoming verification messages |
System Function Control | Alters system behaviour to bypass device verification processes |
Researchers also found that the malware toolkit is being distributed through Telegram groups used by cybercriminals to coordinate financial fraud operations. CloudSEK identified more than 20 such groups with multiple participants sharing tools and information.
How the Attack Works
CloudSEK reports that the attack targets the Android operating system rather than exploiting vulnerabilities in payment applications.
The attack typically occurs in several stages:
1. Malicious App Installation
Victims unknowingly install a Trojanised Android application disguised as legitimate files such as traffic challan notices or wedding invitation APKs.
2. Permission Access
The application requests permissions including Read SMS and Write SMS.
3. OTP Interception
The malware runs in the background and forwards incoming OTP messages to attackers using LSPosed modules.
4. Account Access
Attackers attempt to log in to the victim’s account using a modified version of the payment app on their own device.
5. Device Binding Token Generation
The system generates a device binding token used by banks to verify device authenticity.
Because the message originates from the victim’s SIM card, telecom networks recognise it as legitimate. Once the attacker successfully links their device, they can request a UPI PIN reset and gain full access to the victim’s account.
Researchers note that victims may not immediately realise their account has been accessed because the process happens silently in the background.
CloudSEK stated that it responsibly disclosed its findings to financial institutions and relevant authorities before publishing the report.
ALSO READ: Apple Assembled 25% Of Its iPhones In India In 2025: Report
NPCI Responds to the Report
Following the report, the National Payments Corporation of India (NPCI) issued a statement addressing the concerns.
“This is in reference to recent media reports citing a report on certain fraud-related modus operandi using latest technology to bypass UPI device binding.
NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure.
NPCI continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users.”
