One-click frauds: An introduction
For a recent study, Dvara Research met with ~85 low-income, new-to-UPI users from metro cities and small towns.[2] In these interactions, some respondents reported having lost money from their account by clicking on a link received on their phone. They were convinced that they had not actively shared sensitive financial information such as OTPs with anyone. In other instances, users had clicked on some links but did not engage with them beyond that i.e., did not actively input any information on those links. These links typically enable auto-reading of OTPs or sending of messages from the SMS box while the PIN credentials are normally parted over a phishing page provided in such links.
Some other reports and our findings suggest that the links that users click on can lead them to download malware (The Times Of India, 2020; Mint, 2022). When downloaded on to the device, this malware can glean sensitive financial information from it without the users’ active involvement. This sensitive financial information is relayed back to the fraudster who may then deploy it to realise a variety of frauds such as netbanking, credit card, or UPI scams. This article focuses on how fraudsters use such malware to dupe UPI users, the manner in which these frauds are realised, the user protection threats they pose, the actions that agencies have taken, and the unfinished agenda.
UPI’s security architecture: Can fraudsters really bypass it?
Developed by the National Payments Corporation of India (NPCI), UPI is India’s most widely used digital payment infrastructure. In March 2023, UPI registered 8,685.3 million transactions of INR 14,104.4 billion in value across all UPI-integrated applications. Simultaneously, the Union Ministry of Finance reported that 95,000 UPI fraud cases were recorded in the year 2022-23, 84,000 in 2021-22, and 77,000 in 2020-21 (Rajya Sabha, 2023). However, the true number of fraud incidents is likely higher than reported as affected users often do not report fraud (Blackmon, Mazer, & Warren, 2021). Given that UPI enjoys an unprecedented market share in retail transactions and that its reach is deepening beyond tier 3 towns in India, it is worth examining how malware facilitates frauds.
As we understand from NPCI sources, the account themselves cannot be hacked into per se. However, vulnerabilities of the consumer are exploited; frauds in UPI are essentially realised by gaining access to users’ information or devices to execute frauds. UPI frauds are essentially the theft of money from a UPI user’s account through deception or misrepresentation, executed either through social engineering or by the fraudster using malware along some social engineering. To safeguard users from fraud and unintended execution of transactions, UPI transactions are secured by a two-factor authentication (2FA) mechanism. The first factor is the fingerprint of the mobile user’s device[3] and the second factor is the m-PIN set by the user that is required to validate each transaction (National Payments Corporation of India, n.d; National Payments Corporation of India, 2016). Therefore, to defraud a UPI user, the fraudster must break into both these safeguards.
This is done either through tricking the UPI user into authorising a fraudulent transaction, for instance sending a ‘collect request’ in the garb of a ‘receive request’ or deceiving the user into making payments under the enticement of some gains/rewards etc. Fraudsters also often use social engineering such as impostoring as bank employees over phone calls to trick users into revealing the OTPs, m-PINs, and passwords.
Alternatively, fraudsters may resort to malware in combination with social engineering to obtain sensitive information that allows them to take control of the user’s UPI account. Frauds, using both malware and social engineering methods, are a concern for all digital financial services and not unique to UPI (Chalwe-Mulenga, Duflos, & Coetzee, 2022). Fraudsters can target users of different payment systems including credit cards, mobile banking, and mobile wallets. Due to UPI’s multi-layer security architecture, fraudsters have to obtain several pieces of information in order to defraud the user of their money without their knowledge or involvement. Potentially for this reason, malware-aided frauds are not widespread in UPI. A recent study by Deepstrat and The Dialogue analyzed First Information Reports (FIR) registered with the Gurugram Cyber Police Station between August 2019 and September 2020 and found high prevalence of social engineering methods due to their low cost and high success rate (Mohan, Datta, Venkatanarayanan, & Rizvi, 2022). Despite being less prevalent, the incidents of fraud through malware are equally concerning as they can limit the need for fraudsters to interact with users, making these scams even harder for users to detect. Next, we look into the most commonly used malware.
How does malware execute frauds?
Malware or malicious software is an umbrella term for any type of software intentionally designed to harm computer systems. Regulators and authorities have long cautioned against cyber-criminals employing malware to gain access to the financial accounts of users (Reserve Bank of India, 2022). Several types of malware can inflict different types of harm or ‘threats’ on users such as credential exposure, surveillance and invasion of privacy, extortion, identity theft, and financial loss among others (Cisco).
Banking trojans are a type of information-stealing malware commonly used in digital payment frauds. As the name suggests, they are malware-infested malicious apps in the guise of seemingly useful apps such as a flashlight, a game, or a file reader (Investopedia, 2022). However, once downloaded they steal sensitive information, such as login credentials, m-PINs, and OTPs by capturing data from the user’s mobile device. Over time it can collect enough of the user’s information to bypass 2FA (Cybereason Nocturnus, 2020). Given that in the case of UPI frauds the goal of the attacker is to obtain information that can give them access to give them access to information to break into UPI 2 FA, banking trojans can be instrumental in realizing frauds. This is also borne out by evidence: The targeted apps listed in the threat report of BlackRock, a banking trojan, include a UPI application (Threat Fabric, 2020).
EventBot is another banking trojan that emerged in March 2020. It disguises itself as a useful application such as Microsoft Word or Adobe Flash. However, it is capable of and is deployed for reading and intercepting SMS messages, recording keystrokes, and retrieving notifications about other installed applications and content of open windows (Cybereason Nocturnus, 2020).
Such malware may potentially circumvent the need for extensive social engineering and realise successful frauds without the user having to actively engage with the fraudster by means of actively sharing information over a phone call. Next, we examine the channels through which malware is distributed.
How is malware distributed?
Some common channels for distributing malware are:
- Phishing links:
The analysis of FIR data by The Dialogue and Deepstrat showed that some frauds were carried out by sending users a link which, when clicked, installed malware on their devices. About a quarter of the 1228 cases of frauds were realized by sending links to the affected users. These fraudulent messages are circulated through SMS, instant-messaging applications, e-mails, and social media. They are disguised as messages from authoritative senders such as banks or regulators and are designed to bait the recipient into clicking on the infested link. The RBI also cautions users against clicking on unverified/unfamiliar links which makes them vulnerable to downloading malware (Reserve Bank of India, 2022).
Malvertisements, also known as malvertising, refer to online advertisements that contain malicious code (Center for Internet Security). Malvertisements can exploit vulnerabilities in the user’s browser or operating system to deliver malware to the user’s device, such as adware, spyware, ransomware, or trojans (Center for Internet Security). They can also trick users into clicking on links that download malware by mimicking legitimate ads (Center for Internet Security). For instance, it was found recently that hackers used advertising in Google search results to set up websites that promoted trojan apps (Ilascu, 2023).
- Downloading apps from untrusted sources:
Trojan malware is often disguised as legitimate apps and distributed through third-party app stores. EventBot and BlackRock are both distributed largely via this channel (Threat Fabric, 2020; Cybereason Nocturnus, 2020).
- Juice Jacking:
RBI also identifies that fraudsters use public charging ports to transfer malware into users’ phones when connected. This is known as juice jacking (Reserve Bank of India, 2022).
- Insecure or fake Wi-Fi networks:
Fraudsters may create a fake or rogue Wi-Fi network that looks legitimate and trick people into connecting to it. Once connected, the attacker can use the Wi-Fi connection to disseminate malware (Proof Point).
- Exploitation by technology assistants:
New-to-tech users are likely to seek assistance for accessing and using UPI. Anecdotal evidence suggests that due to a lack of oversight, people providing such assistance often download malware in the pretence of aiding (Kumar, Security Analysis of Unified Payments Interface and Payment Apps in India – Paper presentation, 2020). .
In the past, the high cost of obtaining and deploying malware made it unattractive to fraudsters. However, changes in the ecosystem of cybercrime are making malware easier and cheaper to access, distribute, and deploy. A report by HP Wolf Security states that an increase in the supply of malware has lowered the cost of cybercrime and the barriers to entry (HP Wolf Security, 2022). The report finds that the average price of information-stealing malware was found to be 5 USD. It also states that malware is increasingly being sold in the form of Malware-as-a-Service (MaaS). Thus, buyers do not need any expertise in cybersecurity and nearly anybody can administer a MaaS. The report also finds that malware authors are moving beyond simply selling their product to offering their mentoring services and creating detailed playbooks on how to use their malware.
Implications for user protection
In vulnerability to malware frauds, there is a digital security divide that can affect low-income, new-to-tech users disproportionately.
First, as low-income, new-to-tech users often rely on assistance to access digital payments, they are vulnerable to exploitation by unofficial assistance providers (Kumar, Security Analysis of Unified Payments Interface and Payment Apps in India – Paper presentation, 2020). Second, secure hardware and software can sometimes be unaffordable to low-income individuals (Anthony, 2023). It has been identified that security concerns are often worse in low-priced Android phones (Morrison, 2020). This is because several lower-priced phones are made by lesser-known manufacturers who may not follow a standard vetting process (Morrison, 2020). Moreover, low-income users are also likely to use older devices that are no longer supported with regular software updates. This elevates the chances of malware taking root and exposing them to increased threats (Anthony, 2023).
Further, fraudsters may no longer have to rely on users to reveal detailed information and instead use malware to steal information from their devices. Most malware requires the fraudster to interact with the user only briefly to gain access to a device. This is because, even after the user installs a malicious trojan app, their authorisation is required for granting permissions that will allow the malware to gain access to the device. However, granting of such permissions is often the last interaction the banking trojan will have with the user. Upon obtaining these permissions and privileges, it can often grant itself all additional permissions without requiring user’s authorisation.
Moreover, malware often hides its icon from the device screen (McAfee, 2020). Thus, information is stolen without the user being aware of the malware’s presence in their device. Banking trojans also often guise as apps that are completely unrelated to payments or banking. Thus, users may not be readily able to attribute financial losses to them. Even users are cautious about sharing credentials and PINs with impostors attempting to seek them, they may still be vulnerable to malware attacks.
Some malware may also target vulnerabilities in applications. While most banking trojans typically do not exploit any operating system vulnerabilities but trick the user into giving access to the device, some trojans may take advantage of security flaws in third-party apps installed on the device. For instance, Andorid.Ginp is a banking trojan that targets vulnerabilities in specific banking apps to overlay fake login screens on top of legitimate ones (IBM Security Trusteer, 2019). Unsuspecting users may be convinced they are engaging with legitimate apps until they lose money.
It is quite likely that one-click frauds reported by our respondents in the primary study were indeed realized by malware. Dvara Research’s work elsewhere suggests that the permissions that apps seek for accessing various kinds of data are warped in lengthy terms and agreements. Even more worryingly, users are disposed to accept those terms and conditions almost by default and not register it as a salient event. Therefore, users may have only ever clicked on the link and agreed to the terms and conditions, without actively sharing any sensitive financial information, and found themselves losing money. As discussed above, most malware is distributed through social engineering tactics such as phishing, malvertisements etc. which may not readily register as dubious with users.
One-click frauds, without any social engineering, are most likely feasible when hackers identify vulnerabilities in the operating system’s security features. In those instances, malware can gain the required permissions without any user interaction. This was the case in the ‘Towelroot Exploit’ in 2016 when a vulnerability in Android allowed malware to take control of a device without requiring any special permissions or user interaction (Threat Post, 2016). Such vulnerabilities are rare and often quickly patched by device manufacturers and software developers.
Call to Action
Measures taken so far: The NPCI and the Payments ecosystem participants are aware of these issues. On its part, the NPCI issues circulars guiding participants on protecting users from social engineering and other kinds of frauds.
In addition to mandating user safeguards, reportedly, the NPCI also welcomes system participants to implement user-protection safeguards voluntarily. For instance, several UPI issuing banks reduce the transaction limit of UPI accounts to INR 5,000 for 24 hours for a new user (HDFC Bank; Bank of Baroda; Fi). This can help limit the loss to the user to INR 5,000, should there be an attempt by the fraudster to takeover the account. It remains to be seen if the ceiling is conservative enough especially for the low-income users. Another measure deployed by UPI applications is to disable UPI transactions on devices that carry remote-access apps known to be instrumental in screen-takeover frauds (Singh, 2020).
Unfinished agenda: Combating the growing supply chain of malware and preventing an increase in its deployment by fraudsters requires coordinated, systematic thinking on part of several agencies to ensure that protocols evolve at the same speed as new variants of fraud. These agencies include NPCI, third party application providers, payment service providers, OS providers, regulators, and law enforcement agencies. Systems to gather intelligence on frauds and promote registration of such frauds, and a nimble legal framework to respond to them, can emerge as crucial systematic levers in protecting customers from frauds.
Also, an intervention that can be brought into effect right away is investing in awareness campaigns around technical fraud. The RBI and NPCI already invest in awareness campaigns to educate users about social engineering scams and how to avoid them. These communications largely warn users against sharing OTPs, PINs and other sensitive information with impostors over the phone. Similar campaigns could be designed to inform users about banking trojans and issue advisories against actions like downloading apps from unknown sources, using unsecured Wi-Fi networks and public charging ports, granting permissions, and privileges to malicious apps etc. even as systematic mitigants are contemplated.
Bibliography
Kumar, R., Kishore, S., Lu, H., & Prakash, A. (2020). Security Analysis of Unified Payments Interface and Payment Apps in India. 29th USENIX Security Symposium (USENIX Security 20), (pp. 1499-1516). Retrieved from https://www.usenix.org/system/files/sec20summer_kumar_prepub.pdf
Kryptowire. (2022). Kryptowire Identifies Security and Privacy Vulnerability in Mobile Device Chipset from China. Retrieved from https://www.prnewswire.com/news-releases/kryptowire-identifies-security-and-privacy-vulnerability-in-mobile-device-chipset-from-china-301502349.html
Google. (2019). Android Security & Privacy: 2018 Year In Review. Retrieved from https://source.android.com/docs/security/overview/reports/Google_Android_Security_2018_Report_Final.pdf
Google. (2019). Android Security & Privacy: 2018 Year In Review.
Reserve Bank of India. (2022). Be(a)ware: A Booklet on Modus Operandi of Financial Fraudsters. Retrieved from https://rbidocs.rbi.org.in/rdocs/content/pdfs/BEAWARE07032022.pdf
Mohan, C., Datta, S., Venkatanarayanan, A., & Rizvi, K. (2022). TACKLING RETAIL FINANCIAL CYBER CRIMES IN INDIA . Retrieved from https://deepstrat.in/wp-content/uploads/2022/05/Tackling-Retail-Financial-Cyber-Crimes-In-India-Deepstrat13.05.2022-1.pdf
The Times Of India. (2020). Person loses Rs 1.5 lakh after clicking on web link. Retrieved from https://timesofindia.indiatimes.com/city/mangaluru/person-loses-rs-1-5-lakh-after-clicking-on-web-link/articleshow/79328294.cms
The Economic Times. (2020, June 1). Hackers claim to have found vulnerability in BHIM app; NPCI denies data compromise. Retrieved from https://ciso.economictimes.indiatimes.com/news/hackers-claim-to-have-found-vulnerability-in-bhim-app-npci-denies-any-data-compromise/76137226
Morrison, S. (2020). “Privacy shouldn’t be a luxury”: Advocates want Google to do more to secure cheap Android phones. Vox. Retrieved from https://www.vox.com/recode/2020/1/17/21069417/privacy-international-bloatware-android-google
The Economic Times. (2019). New form of OTP theft on rise, many techies victims. Retrieved from https://economictimes.indiatimes.com/news/politics-and-nation/new-form-of-otp-theft-on-rise-many-techies-victims/articleshow/67521098.cms
Statista. (2021). Average selling price of smartphones in India from 2010 to 2021. Retrieved from https://www.statista.com/statistics/809351/india-smartphone-average-selling-price/
Statista. (2021). Market share of mobile operating systems in India from 2012 to 2021. Retrieved from https://www.statista.com/statistics/262157/market-share-held-by-mobile-operating-systems-in-india/
Privacy International. (2020). An open letter to Google. Retrieved from https://www.vox.com/recode/2020/1/17/21069417/privacy-international-bloatware-android-google
Mint. (2022). Cyber Fraud Retired Teacher Loses Rs-21 Lakh After Clicking On A Whatsapp Link. Retrieved from https://www.livemint.com/news/india/cyber-fraud-retired-teacher-loses-rs-21-lakh-after-clicking-on-a-whatsapp-link-11661125424653.html
Cybereason Nocturnus. (2020). EventBot: A New Mobile Banking Trojan is Born. Retrieved from https://www.cybereason.com/blog/research/eventbot-a-new-mobile-banking-trojan-is-born#threat-analysis
HP Wolf Security. (2022). The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back. Retrieved from https://threatresearch.ext.hp.com/wp-content/uploads/2022/07/HP-Wolf-Security-Evolution-of-Cybercrime-Report.pdf
Threat Fabric. (2020). BlackRock – the Trojan that wanted to get them all. Retrieved from https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html#how-it-works
Threat Post. (2016). Android Ransomware Attacks Using Towelroot, Hacking Team Exploits. Retrieved from https://threatpost.com/android-ransomware-attacks-using-towelroot-hacking-team-exploits/117655/
IBM Security Trusteer. (2019). Android Malware ‘Ginp’ Targets Mobile Banking in Spain. Retrieved from https://community.ibm.com/community/user/security/blogs/limor-kessem1/2019/12/03/android-malware-ginp-targets-mobile-banking-spain
Proof Point. (n.d.). Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk. Retrieved from https://www.proofpoint.com/sites/default/files/pfpt-us-ebook-wayward-wifi.pdf
Center for Internet Security. (n.d.). Malvertising. Retrieved from cisecurity.org/insights/blog: https://www.cisecurity.org/insights/blog/malvertising
Kumar, R. (2020, September 05). Security Analysis of Unified Payments Interface and Payment Apps in India – Paper presentation. Retrieved from https://www.youtube.com/watch?v=yxNWMYXv_TU
Anthony, A. (2023, 03 13). Carnegie Endowment for Internaltional Peace. Retrieved from https://carnegieendowment.org/2023/03/13/cyber-resilience-must-focus-on-marginalized-individuals-not-just-institutions-pub-89254
NortonLifeLock. (2021, July). Norton. Retrieved from https://us.norton.com/blog/emerging-threats/what-is-social-engineering
Times of India. (2023). 95,000-plus UPI-related fraud cases reported last year: Fina .. Retrieved from https://timesofindia.indiatimes.com/gadgets-news/95000-plus-upi-related-fraud-cases-reported-last-year-finance-ministry/articleshow/98975930.cms
Investopedia. (2022). Banker Trojan. Retrieved from https://www.investopedia.com/terms/b/banker-trojan.asp#:~:text=A%20banker%20Trojan%20is%20a%20piece%20of%20malware%20that%20attempts,client%20data%20to%20the%20attacker.
Blackmon, W., Mazer, R., & Warren, S. (2021, March). Nigeria Consumer Protection in Digital Finance Survey. doi:https://doi.org/10.7910/DVN/USMYWW
Rajya Sabha. (2023, March 21). UNSTARRED QUESTION NO. 2296: UPI Frauds. Retrieved from https://rajyasabha.nic.in/Questions/MinistryWiseSearch
McAfee. (2020). McAfee Mobile Threat Report Q1, 2020. Retrieved from https://www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf
Cisco. (n.d.). What is malware? Retrieved April 5, 2023, from https://www.cisco.com/site/us/en/products/security/what-is-malware.html#title-6af94cb24a
Ilascu, I. (2023, January 17). Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner. Retrieved from https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/
National Payments Corporation of India. (n.d.). Unified Payments Interface (UPI). Retrieved April 5, 2023, from https://www.npci.org.in/what-we-do/upi/product-overview
National Payments Corporation of India. (2016). India’s Unified Payment Gateway for Real-Time Payment Transactions. Retrieved from https://www.npci.org.in/PDF/npci/upi/Product-Booklet.pdf
Chalwe-Mulenga, M., Duflos, E., & Coetzee, G. (2022). The Evolution of the Nature and Scale of DFS Consumer Risks A Review of Evidence. Washington, D.C: CGAP. Retrieved from https://www.cgap.org/sites/default/files/publications/slidedeck/2022_02_Slide_Deck_DFS_Consumer_Risks.pdf
HDFC Bank. (n.d.). Unified Payments Interface Frequently asked questions. Retrieved April 17, 2023, from https://www.hdfcbank.com/personal/pay/money-transfer/unified-payment-interface/faqs
Bank of Baroda. (n.d.). FREQUENTLY ASKED QUESTIONS [FAQ’S] . Retrieved April 17, 2023, from https://www.bankofbaroda.in/writereaddata/images/pdf/UPI-FAQs-eDB.pdf
Fi. (n.d.). Frequently Asked Questions. Retrieved April 17, 2023, from https://fi.money/FAQs/transactions/fund-transfer/is-there-any-cool-off-period-or-transaction-limit-after-i-reset-my-upi-pin
Singh, K. (2020, February 4). Indian banking app Paytm no longer works with remote access apps like TeamViewer or AnyDesk installed. Android Police . Retrieved April 17, 2023, from https://www.androidpolice.com/2020/02/03/paytms-teamviewer-anydesk/
[1] The author is a Policy Analyst with Dvara Research. The author would like to sincerely thank Beni Chugh and Lakshay Narang for their valuable input and rigorous review.
[2] 85 respondents from Mumbai, Delhi, Kolhapur and Unnao
[3] A combination of the mobile number linked to the user’s bank account and the IMEI number of the user’s device.
[4] Link to tweet – https://twitter.com/dushyantgadewal/status/1369876267336527873
Cite this blog:
APA
R, S. (2023). The Use of Malware in UPI related Fraud. Retrieved from Dvara Research.
MLA
R, Shreya. “The Use of Malware in UPI related Fraud.” 2023. Dvara Research.
Chicago
R, Shreya. 2023. “The Use of Malware in UPI related Fraud.” Dvara Research.