Camera Injection Attack on Live Selfie KYC — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Camera Injection Attack on Live Selfie KYC in India 2026: A New Threat to Your UPI and Loan Safety

A sharp rise in fraud incidents using camera injection attacks during live selfie KYC verification puts millions of Indian UPI and loan app users at serious risk in 2026.

What Is the Camera Injection Attack on Live Selfie KYC?

The camera injection attack on live selfie KYC (Know Your Customer) is a sophisticated fraud targeting digital loan and payment apps that require selfie-based identity verification. In India, many financial services—including UPI-linked wallets and instant loan applications—mandate live selfie KYC to comply with RBI and regulatory rules aimed at preventing identity theft and financial fraud. However, fraudsters are now exploiting weaknesses in app camera access permissions and live verification processes through what is called a “camera injection attack.”

In this scam, attackers inject fake or pre-recorded video feeds into the selfie KYC system, tricking the app’s live detection algorithms into accepting fraudulent identity verification. Unlike simple photo-forgery, this advanced method bypasses liveness detection by simulating genuine live video streams. Targets include unsuspecting Indian users applying for quick loans or linking their bank accounts to UPI apps, exposing them to identity theft and unauthorized fund transfers.

According to public complaints reported to Indian cybercrime authorities like CERT-In and the I4C (Indian Cyber Crime Coordination Centre), this scam is spreading fast, especially among first-time loan applicants and rural users unfamiliar with digital security. The scam has drawn attention from RBI, which highlights biometric security risks in ongoing digital finance advisories.

How This Scam Works — Step by Step

1. Initial Contact: The victim receives a call or WhatsApp message, allegedly from a loan app or bank, offering instant loans or UPI linking with minimal documentation.

2. Prompt for KYC: The caller asks the victim to complete a “live selfie KYC” via a shared URL or mobile app, claiming this is mandatory for loan approval or UPI activation.

3. Camera Access: When the victim opens the link/app, they are requested to grant camera access to complete a live selfie video. Unbeknownst to them, the app or website includes malware or code that allows camera injection.

4. Injection of Fake Video: The attacker then injects a pre-recorded video of a person who meets the app’s liveness detection criteria or digitally manipulates the live feed to pass the KYC.

5. KYC Approval & Loan Disbursement: The system verifies the fake live selfie as valid and grants loan approval or UPI linking.

6. Unauthorized Transactions: Fraudsters use the verified KYC credentials to conduct unauthorized UPI transactions, withdraw loans under the victim’s name, or misuse Aadhaar-linked details.

7. Victim Notified Too Late: The victim only finds out after unauthorized debits, UPI fraud, or loan recovery notices arrive, often after the attacker has moved funds beyond reach.

Real Warning Signs to Watch For

• Receiving unexpected calls or WhatsApp messages urging instant loan approval via a selfie KYC link.
• Links or apps requesting unusual camera permissions beyond selfie capture.
• KYC URLs sent via unofficial channels or from new, unverified phone numbers.
• Poor grammar or spelling mistakes in messages claiming to be from banks or government bodies.
• Pressure tactics demanding immediate selfie video submission.
• Requests to disable phone security features or install unfamiliar software.
• Receiving OTPs or UPI notifications for transactions never initiated by you.

What Happens to Victims

Victims often suffer substantial financial losses, as fraudsters use the forged live selfie KYC to obtain loans or link bank accounts to fake UPI IDs, making reversible transactions difficult. Since the fraudulent KYC is “verified,” Indian banks and payment apps may initially refuse reversals or claim the user consented to transactions. Aadhaar-linked biometric misuse can also lead to identity theft for government subsidies or SIM swap fraud, causing further financial and emotional distress.

Emotionally, victims face confusion, trust erosion in digital finance, and the stress of navigating complex complaint mechanisms. Rural and less tech-savvy users are disproportionately affected, often unaware of how their selfie data was hijacked for these crimes.

What RBI and CERT-In Say

The Reserve Bank of India has continuously emphasized strengthening authentication methods during digital transactions, including enhancing KYC procedures for loans and UPI services. While RBI has not issued a specific advisory on camera injection attacks, its cybersecurity framework mandates multi-factor authentication and cautions users never to share OTPs or biometric data outside official apps.

CERT-In and I4C advise users to be vigilant about camera and app permissions, avoid clicking suspicious links for KYC, and report any anomalies to official channels like the 1930 cybercrime helpline. They stress adopting secure app downloads only from trusted platforms and verifying the authenticity of loan offers.

How to Protect Yourself

1. Always perform KYC authentication directly through official bank or app platforms—never through links received on WhatsApp or calls.
2. Never grant camera or biometric permissions to unknown or unverified apps.
3. Cross-check loan or UPI linking offers by calling customer service numbers from bank websites rather than responding to unsolicited messages.
4. Use official UPI apps compliant with RBI’s Device Binding and Two-Factor Authentication norms.
5. Regularly update your smartphone’s security patches and use trusted antivirus software to detect malware.
6. Avoid sharing OTPs, PINs, or Aadhaar details with anyone claiming to help complete KYC.
7. Enable transaction alerts and monitor your bank and UPI accounts daily for unauthorized activity.

What to Do If You've Been Targeted

• Immediately contact your bank or UPI provider to freeze your accounts and block further transactions.
• Report the fraud to the 1930 National Cyber Crime Reporting Portal and provide all evidence like call logs, messages, and transaction details.
• File a complaint with local police cyber cells and preserve the SIM and phone data as evidence.
• Inform your telecom provider to check for SIM swap or cloning attempts.
• Seek help from RBI’s customer grievance cell for disputed financial transactions.
• Consider changing your Aadhaar-linked mobile number and updating your biometric data with UIDAI if compromised.
• Stay updated about scam trends on CERT-In and I4C websites.

Frequently Asked Questions

Q: Can camera injection attacks be prevented by regular apps?
A: Most popular financial apps have anti-spoofing features, but camera injection attacks exploit permission misuse or malware. Only use official, updated apps and avoid third-party KYC links.

Q: How fast can fraudsters misuse my selfie KYC data?
A: Often within minutes – once fake KYC is approved, loan disbursal or UPI linking happens rapidly before victims notice.

Q: Will RBI reimburse losses from such scam transactions?
A: RBI requires banks to resolve genuine fraud claims fairly, but victims must report promptly. Reimbursement depends on individual case verification.

Check any suspicious message or loan offer instantly at BharatSecure.app and report fraud cases to the 1930 cybercrime helpline to help protect yourself and others.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.