A chilling new threat has emerged in the digital payment landscape as cyber intelligence firm CloudSEK reveals the rise of a sophisticated toolkit dubbed ‘Digital Lutera.’ This malware is specifically designed to bypass the ‘SIM-binding’ security features of popular UPI apps, allowing fraudsters to gain full control over a victim’s bank account without needing physical access to the SIM card. Within just the last 48 hours, transactions worth lakhs have been illicitly processed through this new method, leaving the authorities on high alert.

The attack typically begins with a deceptive link sent via WhatsApp or SMS, disguised as a routine notification like a traffic fine, a parcel delivery update, or even a wedding invitation. Once the victim clicks the link and installs the malicious APK file, the software gains access to system-level SMS permissions. The ‘Digital Lutera’ toolkit then intercepts bank registration messages and silently forwards OTPs to Telegram channels controlled by the attackers. Disturbingly, the hackers can register and operate the victim’s UPI profile on a completely different device while the original SIM remains in the victim’s phone. The National Payments Corporation of India (NPCI) has assured users that robust checks are being strengthened, but the primary defense remains vigilance. Cyber experts urge citizens never to download unverified apps and to report any suspicious activity immediately to the 1930 national helpline.