Infostealer Malware Used for UPI Fraud

How Infostealer Malware Used for UPI Fraud Works

Overview: Indian citizens are increasingly being targeted by infostealer malware attacks, which start as seemingly harmless links or downloads. Once installed, this malware steals saved passwords, especially from browsers, and attackers use these to access UPI and mobile banking apps. The end goal: drain your accounts by rapidly transferring money using your credentials. With the dramatic rise of these attacks in early 2026, especially post the ICAI and MGSU data breaches, Indians face a heightened risk. How It Works: Attackers spread malware via fake exam result links, software cracks, or utility bill reminders. If you download or open such a link, the infostealer silently grabs login details saved in your browser. Criminals test these credentials on UPI platforms (PhonePe, GPay) via bots. They conduct small trial transfers (₹1-10) to check if their access works, then move larger amounts to accounts under their control. India Angle: Infostealers like RedLine and Lumma are spreading through WhatsApp groups, Telegram channels, and scam exam result/admit card pages. NCR, Mumbai, and student towns see heavy targeting. Young students and mobile-first users are most exposed, as they often save passwords in their browsers. Real Examples: - A CA aspirant downloads a fake admit card. Suddenly, UPI notifications arrive for test transfers, followed by large withdrawals. - An MBA student opens a ZIP file for “updated exam timetable” on WhatsApp, after which her GPay account is compromised. Red Flags: - Browser asks you to fill passwords on sites you usually skip - UPI app notifications for ₹1 or ₹2 transfers you didn’t make - Security pop-ups for ‘virus scan’ after clicking a new file or link - Multiple failed login attempts from unknown devices Protective Measures: - Never download software from unofficial or forwarded links - Don’t open ZIP/RAR files from strangers or unknown sources - Regularly clear saved passwords in your browser; use a trusted password manager - Immediately unlink compromised devices from your UPI apps If Victimised: - Remove malware by scanning with updated antivirus software - Change all your passwords and enable 2FA - Report financial thefts to 1930, cybercrime.gov.in, and your bank Related Scams: - Fake utility bill or exam result scam pages with malware - Phishing calls asking for UPI PIN reset - Whatsapp phishing with APK files for ‘bank update’

How This Scam Works — Detailed Explanation

Scammers often find their victims through various online platforms, including social media, messaging apps like WhatsApp, and unofficial websites that host supposed free downloads or tools. They set up enticing scenarios, such as offering free utilities or exclusive content, which leads unsuspecting users to click on malicious links. For instance, an attacker might send a message on WhatsApp with a seemingly harmless link claiming to be a necessary software update. Once the victim clicks on this link, it initiates an automatic download of infostealer malware to their device, laying the groundwork for further exploits.

Once installed, infostealer malware operates covertly to harvest sensitive information stored in browsers. This includes saved passwords, auto-fill details, and other personal data linked to UPI and mobile banking apps. Scammers deploy psychological tricks, often creating a sense of urgency or exclusive opportunity around the malicious link. They might promise that action is needed to secure accounts, effectively pressing victims to bypass their usual cautious behavior. Victims find themselves interacting with polished interfaces that appear legitimate, further entrenching their trust in the fraudulent scheme.

As the malware activates, the victim's stored credentials quickly become accessible to the scammer. In many cases, the malware sends the harvested data directly to a designated server controlled by the attackers. Victims may churn through the process of checking their bank accounts unaware that the credential compromise has taken place. For instance, a recent case revealed that a user in Delhi noticed someone had rushed to siphon ₹50,000 from their UPI account after they had interacted with a phishing link disguised as a payment receipt.

The ramifications of such scams are staggering. Recent reports indicated that, following the data breaches of prominent institutions like ICAI and MGSU in 2026, victims in India lost upwards of ₹150 crores collectively through various fraudulent transactions linked to infostealer malware. This has raised alarms among cybersecurity agencies, prompting advisories from the Ministry of Home Affairs, the Reserve Bank of India, and CERT-In. The grim reality is that once the instigators behind these scams gain access, the rapid transfer of funds can leave victims financially devastated with no immediate recourse.

To recognize this scam versus legitimate communications, watch for certain red flags. Solutions like verifying links sent through messaging platforms are crucial. Legitimate businesses rarely send unsolicited ZIP or RAR files or ask for sensitive information through unpredictable pop-ups. If you encounter unexpected small UPI transactions or strange security notifications on your device, that should trigger concern. Remember, authentic organizations will never request sensitive data through unofficial means. Always ensure that you are on the official website before entering personal details, and cross-check through official customer service numbers before taking any action.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Infostealer Malware Used for UPI Fraud Target?

General public across India

Red Flags — How to Identify Infostealer Malware Used for UPI Fraud

• Unsolicited ZIP/RAR file links
• Unexpected small UPI transactions
• Strange security pop-ups after link clicks
• Browser autofill requests on unknown sites

What To Do If You Encounter Infostealer Malware Used for UPI Fraud

1. Report any suspicious activity immediately by calling the cybercrime helpline at 1930 or visiting cybercrime.gov.in for guidance.
2. Change your UPI and mobile banking passwords without delay to prevent unauthorized access.
3. Check your transaction history for any unauthorized transactions and report them to your bank's helpline (SBI 1800-11-1109, HDFC 1800-202-6161).
4. Disable any suspicious apps or browser extensions that may have been installed without your consent.
5. Educate friends and family about this malware to help them avoid falling victim to similar schemes.
6. Regularly update your device's security software to protect against newly developed infostealer malware.

How to Report Infostealer Malware Used for UPI Fraud in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my OTP in a UPI scam?

Immediately contact your bank's customer service and inform them about the incident. Report the issue at 1930 and take necessary steps to lock your account.

How can I identify infostealer malware?

Look out for unsolicited downloads, strange pop-ups, or unexpected requests for personal information. Always be cautious of unsolicited communication.

How do I report this type of scam in India?

You can report it by calling the cybercrime helpline at 1930, visiting cybercrime.gov.in, and also reporting fraudulent transactions directly to your bank.

How can I recover money or protect my accounts after this scam?

Contact your bank immediately to reverse unauthorized transactions and follow their recovery procedures. Also, change your passwords and consider activating additional security measures.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.