Gaslighting Android: How the ‘Digital Lutera’ Attack Uses LSPosed to Bypass UPI SIM-Binding
Ddos 
Flowchart of the UPI SIM binding verification flow | Image: CloudSEK
According to a critical new report from CloudSEK, threat actors have moved beyond simple app modifications to a sophisticated technique known as Runtime Environment Manipulation.
By leveraging the LSPosed framework, attackers can now hijack legitimate, unmodified payment applications by effectively “gaslighting” the underlying Android operating system.
The core of this new attack is the systematic dismantling of UPI SIM-binding, a security protocol designed to ensure that a bank account can only be accessed if the physical SIM card is present in the device.
The report highlights the gravity of this evolution: “Because the malicious module… hooks system-level APIs rather than the app itself, the payment app’s digital signature remains valid, effectively bypassing Google Play Protect and traditional integrity checks”.
This means the banking app on the attacker’s device remains 100% original, passing all standard security audits while the malicious “Digital Lutera” module feeds it a fabricated reality in the background.
The attack transforms a rooted device into a remote-controlled fraud machine through a several-step process:
- Identity Forgery: When a payment app asks for the device’s phone number, the module intercepts the request and returns a spoofed number provided by a Command & Control (C2) server.
- SMS Hijacking: The module hooks into system methods to capture registration tokens. It blocks the actual verification SMS from reaching the cellular network and instead exfiltrates the data to a Telegram bot.
- Evidence Planting: To satisfy the appβs internal checks, the module manually writes fake SMS records into the Android “Sent” database. This ensures that if the app scans for proof of a sent message, it finds a “perfect, forged record”.
This technique allows fraudsters to register a victim’s bank account on a device located thousands of miles away from the actual SIM card. Researchers have already identified one single threat group with over 500 successful login messages using this framework.
The mastermind behind this specific module, an actor known as “Berlin” or @Syntext_Erorr, is described as a sophisticated developer who explicitly advertises “UPI bypass” and “PIN reset” services in underground forums.
CloudSEK warns that this attack “fundamentally breaks the security model” of modern mobile banking. To counter this, the report urges financial institutions to adopt:
- Strict Device Integrity: Implementing Googleβs Play Integrity API with a MEETS_STRONG_INTEGRITY requirement to ensure the bootloader is locked.
- Carrier-Side Validation: Transitioning to backend systems that verify registration messages actually traversed the cellular network, rather than trusting the device’s local confirmation.
As these “Alpha” threat actors continue to evolve, the industry must move beyond basic root detection to ensure that “physical SIM presence” once again means actual device security.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
