UPI app bug spotted by user
A young researcher found bugs in UPI payment apps after his father was defrauded of Rs 20,000, and Google acknowledged the reports. The incident underscores how application‑level issues and customer reports can reveal fraud vectors that sit outside classic ITGC testing. (tribuneindia.com)
A Haryana engineering student said he found three flaws in Unified Payments Interface payment apps after his father lost Rs 20,000 in a fraud. (tribuneindia.com) The student, Ankit, told The Tribune he began reporting the issues to Google in June 2025 and said one of the reports was resolved in February 2026. He identified the bugs as a Chrome intent vulnerability, an authentication bypass, and an audio hijack issue. (tribuneindia.com) Unified Payments Interface is India’s instant bank-to-bank payment rail, used by apps such as Google Pay, PhonePe, and Paytm to move money with a mobile number, a quick-response code, or a virtual payment address. In March 2026, the network processed 22.64 billion transactions worth Rs 29.53 lakh crore, according to National Payments Corporation of India data cited by the Department of Financial Services. (aninews.in) A Chrome intent bug can let one app pass a payment request into another app in a way the user may not fully see, while an authentication bypass can weaken the step that confirms who is approving a transaction. An audio hijack issue points to the sound channel on a phone, where alerts or spoken prompts can be altered, muted, or misused during a payment flow. (tribuneindia.com) The case landed as Indian authorities were already tightening payment safeguards. In August 2025, the National Payments Corporation of India rolled out new Unified Payments Interface rules aimed at improving app performance and reducing fraud across service providers. (tribuneindia.com) The Reserve Bank of India said in its 2024-25 annual report that the year brought greater emphasis on cyber resilience, payment security controls, fraud prevention, and consumer awareness for payment system operators. The central bank said those steps were meant to keep digital payments safe and seamless as usage expanded. (rbi.org.in) The government told Parliament in March 2025 that the Reserve Bank of India and the National Payments Corporation of India had already taken multiple steps to prevent payment fraud, including fraud tied to Unified Payments Interface transactions. That reply also showed digital payment volumes climbing sharply over the previous five financial years. (pib.gov.in) The Tribune said Ankit is seeking government support to keep checking online banking frauds. His reporting turned a family’s Rs 20,000 loss into a bug trail that reached Google’s review system. (tribuneindia.com)
