Driver's son detects bugs in UPI apps, Google acknowledges reports
Began research after father was defrauded of Rs 20K; Seeks government support to check online banking frauds
Ankit Thakur of Talwana Kheri village in Mahendragarh district was studying in school when his father, Sunil, a driver by profession, was cheated of Rs 20,000 in an online fraud in 2020.
The incident had such a deep impact on Ankit’s mind that he started thorough research on the technical lacunae in UPI applications due to which people are defrauded of their hard-earned money by cyber thugs.
Ankit, who is now a student of B.Tech (Computer Science and Engineering), detected three technical bugs that aided fraudsters. He reported the bugs to the Google security bot, which acknowledged one of these and took corrective measures.
“The process of identifying the bugs and explaining the cybersecurity threats posed by them takes a long time. I started reporting the matter to the Google team in June 2025, and it was resolved in February this year,” Ankit told ‘The Tribune’, adding that he was still making efforts to make UPI applications secure for users.
The three technical bugs detected by the student-researcher include Chrome Intent Vulnerability, Authentication Bypass, and Audio Hijack. Chrome Intent Vulnerability refers to a flaw in the Chrome browser that allows a malicious webpage to directly open sensitive apps like UPI without any user permission or even a single click.
“This feature acts as an open door for scammers, giving them a direct path to the user’s payment interface,” said Ankit. Authentication Bypass indicates a way to bypass the ‘First Layer Authentication’ (such as app locks or biometrics) designed to secure UPI apps.
“Though Google Pay and Paytm have fixed this serious vulnerability following my report, many such loopholes may still exist,” he said. The third bug, Audio Hijacking, was the most lethal, he claimed. “In this scenario, UPI apps fail to ‘lock audio focus’ during a payment. Taking advantage of this, a fake app hidden in the background can play its own audio (e.g., ‘Enter your PIN to receive money’).
The user believes the voice is coming from the payment app itself and falls prey to fraudsters,” he explained. Ankit maintains that if the government supports him, he can help the authorities in checking cyber frauds, especially those related to online banking.
