Highlights
Technical Bugs in UPI Apps Identified by Student
Technical bugs in UPI apps have been uncovered by Ankit Thakur, a B.Tech (CSE) student from Haryana. He found three vulnerabilities within the UPI apps ecosystem that could potentially be exploited by fraudsters. Following a report by The Tribune, it was revealed that Thakur was still a school student when his father, who is a driver, lost Rs 20,000 to an online scam in 2020.
This incident had a profound impact on Thakur, motivating him to explore the workings of UPI apps and identify weaknesses that scammers could take advantage of. In June 2025, he began reporting these security issues to Google’s security bot. The effort resulted in Google acknowledging the vulnerabilities and releasing patches by February 2026.
Identified Technical Bugs
The three technical bugs include Chrome Intent Vulnerability, Authentication Bypass, and Audio Hijack. One notable provided threat allows malicious websites to launch UPI apps without any user consent or interaction. Thakur noted, “This feature acts as an open door for scammers, giving them a direct path to the user’s payment interface,” as reported by The Tribune.
Authentication Bypass
The second concern involves the ability to bypass initial authentication measures, such as app locks or biometric security, that are designed to protect UPI apps. Thakur stated that both Google Pay and Paytm have acknowledged his findings, which have since been rectified.
Audio Hijack Vulnerability
Lastly, the Audio Hijack vulnerability is considered the most perilous of the three. In this instance, UPI applications do not ‘lock audio focus’ during transactions. Exploiting this flaw, a deceptive app running in the background could play its own audio. This misleads users into believing that the voice is coming from the official payment app, putting them at risk of fraud.
It is important to mention that Google undertakes stringent verification processes before assessing the severity of identified flaws. Once verified, the company implements the necessary fixes and critical patches to secure the Android ecosystem for UPI. This underscores the importance for smartphone users to consistently update their devices and download security patches to ensure the ongoing protection of their operating systems and applications.
