Wednesday, May 22, 2024
HomeMicrofinanceDvara Analysis Weblog | The Use of Malware in UPI associated Fraud 

Dvara Analysis Weblog | The Use of Malware in UPI associated Fraud 


Shreya R[1]

One-click frauds: An introduction

In a current examine to guage the effectiveness of client consciousness campaigns referring to United Fee Interface(UPI) frauds, Dvara Analysis interviewed ~85 low-income, new-to-UPI customers from metro cities and small cities[2]. In these interactions, some respondents reported having misplaced cash from their UPI account by merely clicking on a hyperlink acquired on their cellphone. The assaults on their funds had been carried out with out the person divulging any info to fraudsters or partaking with the hyperlinks past clicking on them. Complaints of such single-click frauds have additionally been acquired by Cyber-crime officers in numerous elements of the nation (The Instances Of India, 2020) (Mint, 2022). These experiences and our findings recommend that fraudsters can now assault UPI accounts with out preying on customers for delicate monetary info by way of social engineering[3]. Consequently, UPI customers stand to lose cash to frauds even after they chorus from divulging info to fraudsters by interacting with them. This text focuses on such minimum-interaction UPI frauds, the way through which they’re distributed and deployed, and the buyer safety threats they pose.  

UPI’s Safety Structure and What it Means for Frauds

Developed by the Nationwide Funds Company of India (NPCI), UPI is India’s most generally used digital fee infrastructure. In March 2023, UPI registered 8,685.3 million transactions of INR 14,104.4 billion in worth throughout all UPI-integrated purposes. Concurrently, the union finance ministry reported that 95,000 UPI fraud circumstances had been recorded within the yr 2022-23, 84,000 in 2021-22 and 77,000 in 2020-21 (Rajya Sabha, 2023). This exhibits that the variety of fraud circumstances in UPI has been persistently on the rise. Furthermore, the true variety of fraud incidents is probably going a lot increased than reported as affected customers typically don’t report fraud (Blackmon, Mazer, & Warren, 2021). With such pervasiveness, the problem of fraud in UPI is each a coverage crucial and a buyer safety concern.

UPI frauds are primarily the theft of cash from a UPI person’s account by deception or misrepresentation, executed both by social engineering or malware. To safeguard customers from fraud and unintended execution of transactions, UPI transactions are secured by a two-factor authentication (2FA) mechanism. The primary issue is the fingerprint of the cell person’s machine [4] and the second issue is the m-PIN set by the person that’s required to validate every transaction (Nationwide Funds Company of India, n.d and 2016). Due to this fact, to defraud a UPI person, the fraudster should break into each these safeguards. That is completed both by tricking the UPI person into authorising a fraudulent transaction, for example sending a ‘gather request’ within the garb of a ‘obtain request’ or by illicitly acquiring delicate info that might permit fraudsters to authorize the transactions themselves. Fraudsters typically use social engineering to trick house owners into authorising unintended transactions by usually manipulating customers into revealing the OTPs, m-PINs and passwords.

Alternatively, fraudsters might resort to malware together with light-touch social engineering to acquire delicate info that enables them to take management of the person’s UPI account. A current examine by Deepstrat and the Dialogue analyzed First Info Studies (FIR) registered with Gurugram Cyber Police Station between August 2019 and September 2020 and located  excessive prevalence of social engineering strategies attributable to their low value and excessive success price (Mohan, Datta, Venkatanarayanan, & Rizvi, 2022). Nonetheless, the incidents of fraud by malware are equally regarding as they’ll restrict the necessity for fraudsters to work together with customers, making these assaults even more durable for customers to detect. Subsequent, we glance into essentially the most generally used malware.

How Does Malware Circumvent two-factor authentication?

Malware or malicious software program is an umbrella time period for any kind of software program deliberately designed to hurt pc methods. Regulators and authorities have lengthy cautioned in opposition to cybercriminals using malware to realize entry to the monetary accounts of customers (Reserve Financial institution of India, 2022). A number of kinds of malware can inflict various kinds of hurt, or ‘threats’ on customers resembling credential publicity, surveillance and invasion of privateness, extortion, id theft, and monetary loss, amongst others (Cisco).

Banking trojans are a sort of information-stealing malware, generally utilized in digital fee frauds. Because the identify suggests, they’re malware-infested malicious apps within the guise of seemingly helpful apps resembling a flashlight, a recreation, or a file reader (Investopedia, 2022). Nonetheless, as soon as downloaded, they steal delicate info, resembling login credentials, UPI PINs, and OTPs, by capturing information from the person’s cell machine. Over time it may well gather sufficient of the person’s info to bypass 2FA (Cybereason Nocturnus, 2020). Provided that, within the case of UPI frauds, the objective of the attacker is to acquire info that may give them entry to UPI accounts, and banking trojans may be instrumental in realizing frauds. That is additionally borne out by proof, the focused apps listed within the menace report of BlackRock, a banking trojan, embody a UPI software (Risk Material, 2020).

EventBot is one other banking trojan that emerged in March 2020. It disguises itself as a helpful software resembling Microsoft Phrase or Adobe Flash. Nonetheless, it’s able to and deployed for studying and intercepting SMS messages, recording keystrokes and retrieving notifications about different put in purposes and content material of open home windows.

Such malware might probably circumvent the necessity for intensive social engineering, and, realise profitable frauds with out the person having to actively have interaction with the fraudster by way of actively sharing info. Due to this fact, to forestall such frauds, customers must be made conscious of them and concerning the frequent distribution channels utilized by fraudsters to deploy malware.  Subsequent, we look at these distribution channels.

How is Malware Distributed?

A few of the methods through which malware can attain the units of UPI customers embody:

  1. Phishing hyperlinks:

    The evaluation of FIR information by The Dialogue and Deepstrat confirmed that some frauds had been carried out by sending customers a hyperlink, which when clicked, installs malware. A couple of quarter of the 1228 circumstances of frauds had been realized by sending hyperlinks to the affected customers. These fraudulent messages are circulated by SMS, instant-messaging purposes, emails, and social media. They’re disguised as messages from authoritative senders resembling banks or regulators and are designed to bait the recipient into clicking on the infested hyperlink. The RBI additionally cautions customers in opposition to clicking on unverified/unfamiliar hyperlinks, which, makes them susceptible to downloading malware (Reserve Financial institution of India, 2022).

  1. Malvertisements:

    Malvertisements, also referred to as malvertising, confer with on-line ads that comprise malicious code (Heart for Web Safety). Malvertisements can exploit vulnerabilities within the person’s browser or working system to ship malware to the person’s machine, resembling adware, spyware and adware, ransomware, or trojans (Heart for Web Safety). They will additionally trick customers into clicking on hyperlinks that obtain malware by mimicking reputable adverts (Heart for Web Safety). For example, it was discovered just lately that hackers used promoting in Google search outcomes to arrange web sites that promoted trojan apps (Ilascu, 2023).

  1. Downloading apps from untrusted sources:

    Trojan malware is commonly disguised as reputable apps and distributed by third-party app shops. EventBot and BlackRock are each distributed largely by way of this channel (Risk Material, 2020) (Cybereason Nocturnus, 2020).

  1. Juice Jacking:

    RBI additionally identifies that fraudsters use public charging ports to switch malware into customers’ telephones when linked. This is called juice jacking (Reserve Financial institution of India, 2022).

  1. Insecure or pretend Wi-Fi networks:  

    Fraudsters might create a pretend or rogue Wi-Fi community that appears reputable and trick individuals into connecting to it. As soon as linked, the attacker can use the Wi-Fi connection to disseminate malware (Proof Level).

  1. Exploitation by expertise assistants:

    New-to-tech customers are more likely to search help for accessing and utilizing UPI. Anecdotal proof means that attributable to an absence of oversight, individuals offering such help typically obtain malware within the pretence of aiding (Kumar, Safety Evaluation of Unified Funds Interface and Fee Apps in India – Paper presentation, 2020).

Up to now, the excessive value of acquiring and deploying malware made it unattractive to fraudsters. Nonetheless, modifications within the ecosystem of cybercrime are making malware simpler and cheaper to entry, distribute, and deploy. A report by HP Wolf Safety states that a rise within the provide of malware has lowered the price of cybercrime and the limitations to entry (HP Wolf Safety, 2022). The report finds that the typical value of information-stealing malware was discovered to be 5 USD. It additionally states that malware is more and more being bought within the type of Malware-as-a-Service (MaaS). Thus, consumers don’t want any experience in cybersecurity and almost anyone can administer a MaaS. The report additionally finds that malware authors are shifting past merely promoting their product to providing their mentoring companies and creating detailed playbooks on the way to use their malware.

Implications for Buyer Safety

All customers of UPI are susceptible to malware-enabled fraud. It has been documented that many refined customers fall sufferer to each social engineering fraud and hacking (The Financial Instances, 2019). Nonetheless, there’s additionally a digital safety divide that may have an effect on low-income, new-to-tech customers disproportionately.

First, as low-income, new-to-tech customers typically depend on help to entry digital funds, they’re susceptible to exploitation by unofficial help suppliers (Kumar, Safety Evaluation of Unified Funds Interface and Fee Apps in India – Paper presentation, 2020). Second, safe {hardware} and software program can typically be unaffordable to low-income people (Anthony, 2023). It has been recognized that safety issues are sometimes worse in low-priced Android telephones (Morrison, 2020). It is because a number of lower-priced telephones are made by lesser-known producers who might not observe a regular vetting course of (Morrison, 2020).  Furthermore, low-income customers are additionally doubtless to make use of older units which might be now not supported with common software program updates. This elevates the possibilities of malware taking root and exposes low-income, new-to-tech customers to elevated threats (Anthony, 2023).

Additional, fraudsters might now not must depend on customers to disclose detailed info and as an alternative use malware to steal info from their units. Most malware require the fraudster to work together with the person solely briefly to realize entry to a tool. It is because, even after the person installs a malicious trojan app, their authorisation is required for granting permissions that can permit the malware to realize entry to the machine. Nonetheless, granting of such permissions is commonly the final interplay the banking trojan could have with the person. Upon acquiring these permissions and privileges, it may well typically grant itself all further permissions with out requiring person’s authorisation.

Furthermore, malware typically hides its icon from the machine display screen (McAfee, 2020). Thus, info is stolen with out the person being conscious of the malware’s presence of their machine. Furthermore, banking trojans are disguised as apps which may be fully unrelated to funds or banking. Thus, customers will not be readily in a position to attribute monetary losses to malware. Additional, even customers who’re cautious about sharing credentials and PINs with impostors making an attempt to hunt them should still be susceptible to malware assaults.

It’s fairly doubtless that one-click frauds reported by our respondents within the major examine had been certainly realized by malware. Dvara Analysis’s work elsewhere means that the permissions that apps look for accessing varied sorts of information are warped in prolonged phrases and agreements. Much more worryingly, customers are disposed to simply accept these phrases and situations, nearly by default, and never register it as a salient occasion. Due to this fact, customers might have solely ever clicked on the hyperlink and agreed to the phrases and situations, with out actively sharing any delicate monetary info, and located themselves dropping cash. As mentioned above, most malware is distributed by social engineering ways resembling phishing, malvertisements and many others. which can not readily register as doubtful with customers.

One-click frauds, with none social engineering, are almost certainly possible when hackers establish vulnerabilities within the working system’s security measures. In these cases, malware can achieve the required permissions with none person interplay. This was the case within the ‘Towelroot Exploit’ in 2016 when a vulnerability in Android allowed malware to take management of a tool with out requiring any particular permissions or person interplay (Risk Put up, 2016). Such vulnerabilities are uncommon and sometimes rapidly patched by machine producers and software program builders.

Some malware might also goal vulnerabilities in UPI purposes. Whereas most banking trojans usually don’t exploit any working system vulnerabilities however trick the person into giving entry to the machine, some trojans might benefit from safety flaws in third-party apps put in on the machine. For example, Andorid.Ginp is a banking trojan that targets vulnerabilities in particular banking apps to overlay pretend login screens on prime of reputable ones (IBM Safety Trusteer, 2019). Nonetheless, such vulnerabilities can’t result in one-click fraud as social engineering remains to be wanted to bypass security measures of the working system.

Name to Motion

The prevalence of mechanisms that may bypass 2FA and defraud susceptible customers of their cash is each a urgent buyer safety and coverage concern. It requires systematic considering on a part of a number of businesses to make sure that protocols evolve on the identical velocity as new variants of fraud.  These businesses embody NPCI, third occasion software suppliers, fee service suppliers, OS suppliers, regulators and legislation enforcement businesses. Programs to assemble intelligence on frauds, and promote registration of such frauds, permitting for a nimble authorized framework to answer them can emerge as essential systematic levers in defending prospects from frauds.

Nonetheless, an intervention that may be introduced into impact instantly is investing in consciousness campaigns round technical fraud. The RBI and NPCI have been operating consciousness campaigns to coach customers about social engineering scams and the way to keep away from them. These communications largely warn customers in opposition to sharing OTPs, PINs and different delicate info with scammers. Comparable campaigns might be designed to tell customers about banking trojans and situation advisories in opposition to actions like downloading apps from unknown sources, utilizing unsecured Wi-Fi networks and public charging ports, granting permissions and privileges to malicious apps and many others., whilst systematic mitigants are contemplated.


Ablon, L., & Libicki, M. (2015). Hacker’s bazaar: The markets for cybercrime instruments and stolen information. Protection Couse;l Journal, 82, 143. Retrieved from with=hein.journals/defcon82&div=17&id=&web page=

Anthony, A. (2023, 03 13). Carnegie Endowment for Internaltional Peace. Retrieved from

Blackmon, W., Mazer, R., & Warren, S. (2021, March). Nigeria Shopper Safety in Digital Finance Survey. doi:

Heart for Web Safety. (n.d.). Malvertising. Retrieved from

Cisco. (n.d.). What’s malware? Retrieved April 5, 2023, from

Cybereason Nocturnus. (2020). EventBot: A New Cell Banking Trojan is Born. Retrieved from

Google. (2019). Android Safety & Privateness: 2018 Yr In Overview. Retrieved from

Google. (2019). Android Safety & Privateness: 2018 Yr In Overview.

HP Wolf Safety. (2022). The Evolution of Cybercrime: Why the Darkish Internet is Supercharging the Risk Panorama and Learn how to Struggle Again. Retrieved from

IBM Safety Trusteer. (2019). Android Malware ‘Ginp’ Targets Cell Banking in Spain. Retrieved from

Ilascu, I. (2023, January 17). Hackers push malware by way of Google search adverts for VLC, 7-Zip, CCleaner. Retrieved from

Investopedia. (2022). Banker Trojan. Retrieved from content=Apercent20bankerpercent20Trojanpercent20ispercent20apercent20piecepercent20ofpercent20malwarepercent20thatpercent20attempts,clientpercent20datapercent20topercent20thepercent20attacker.

Kryptowire. (2022). Kryptowire Identifies Safety and Privateness Vulnerability in Cell Gadget Chipset from China. Retrieved from

Kumar, R. (2020, September 05). Safety Evaluation of Unified Funds Interface and Fee Apps in India – Paper presentation. Retrieved from

Kumar, R., Kishore, S., Lu, H., & Prakash, A. (2020). Safety Evaluation of Unified Funds Interface and Fee Apps in India. twenty ninth USENIX Safety Symposium (USENIX Safety 20), (pp. 1499-1516). Retrieved from

McAfee. (2020). McAfee Cell Risk Report Q1, 2020. Retrieved from material/dam/client/en-us/docs/2020-Cell-Risk-Report.pdf

Mint. (2022). Cyber Fraud Retired Instructor Loses Rs-21 Lakh After Clicking On A Whatsapp Hyperlink. Retrieved from

Mohan, C., Datta, S., Venkatanarayanan, A., & Rizvi, Ok. (2022). TACKLING RETAIL FINANCIAL CYBER CRIMES IN INDIA . Retrieved from

Morrison, S. (2020). “Privateness shouldn’t be a luxurious”: Advocates need Google to do extra to safe low-cost Android telephones. Vox. Retrieved from

Nationwide Funds Company of India. (2016). India’s Unified Fee Gateway for Actual-Time Fee Transactions. Retrieved from

Nationwide Funds Company of India. (n.d.). Unified Funds Interface (UPI). Retrieved April 5, 2023, from

NortonLifeLock. (2021, July). Norton. Retrieved from

Pan, J. (1999). Software program Testing. Reliable Embedded Programs.

Privateness Worldwide. (2020). An open letter to Google. Retrieved from

Proof Level. (n.d.). Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Information and Put Your Cell Units at Threat. Retrieved from

Rajya Sabha. (2023, March 21). UNSTARRED QUESTION NO. 2296: UPI Frauds. Retrieved from

Reserve Financial institution of India. (2022). Be(a)ware: A Booklet on Modus Operandi of Monetary Fraudsters. Retrieved from material/pdfs/BEAWARE07032022.pdf

Statista. (2021). Common promoting value of smartphones in India from 2010 to 2021. Retrieved from

Statista. (2021). Market share of cell working methods in India from 2012 to 2021. Retrieved from

The Financial Instances. (2019). New type of OTP theft on rise, many techies victims. Retrieved from

The Financial Instances. (2020, June 1). Hackers declare to have discovered vulnerability in BHIM app; NPCI denies information compromise. Retrieved from

The Instances Of India. (2020). Individual loses Rs 1.5 lakh after clicking on net hyperlink. Retrieved from

Risk Material. (2020). BlackRock – the Trojan that needed to get all of them. Retrieved from

Risk Put up. (2016). Android Ransomware Assaults Utilizing Towelroot, Hacking Workforce Exploits. Retrieved from

Instances of India. (2023). 95,000-plus UPI-related fraud circumstances reported final yr: Fina .. Retrieved from

[1] The creator is a Coverage Analyst with Dvara Analysis. The creator wish to sincerely thank Beni Chugh and Lakshay Narang for his or her priceless enter and rigorous overview.

[2] 85 respondents from Mumbai, Delhi, Kolhapur and Unnao

[3] Social Engineering is the manipulation of somebody to reveal confidential info that can be utilized for fraudulent functions. Not like cyberattacks that depend on safety vulnerabilities to realize entry to unauthorized units or networks, social engineering strategies goal human vulnerabilities (NortonLifeLock, 2021).

[4] A mix of the cell quantity linked to the person’s checking account and the IMEI variety of the person’s machine.

[5] Hyperlink to tweet –

Cite this weblog:


R, S. (2023). The Use of Malware in UPI associated Fraud. Retrieved from Dvara Analysis.


R, Shreya. “The Use of Malware in UPI associated Fraud.” 2023. Dvara Analysis.


R, Shreya. 2023. “The Use of Malware in UPI associated Fraud.” Dvara Analysis.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments