Jump to content
  • Drinik Android malware now targets users of 18 Indian banks

    alf9872000

    • 409 views
    • 3 minutes
     Share


    • 409 views
    • 3 minutes

    A new version of the Drinik Android trojan targets 18 Indian banks, masquerading as the country's official tax management app to steal victims' personal information and banking credentials.

     

    Drinik has been circulating in India since 2016, operating as an SMS stealer, but in September 2021, it added banking trojan features that target 27 financial institutes by directing victims to phishing pages.

     

    Analysts at Cyble have been following the malware and report that its developers have evolved it into a full Android banking trojan with screen recording, keylogging, abuse of Accessibility services, and the ability to perform overlay attacks.

    Stealing credentials from real sites

    The latest version of the malware comes in the form of an APK named 'iAssist,' which is supposedly India's Income Tax Department's official tax management tool.

     

    Upon installation, it requests permissions to receive, read, and send SMS, read the user's call log, and read and write to external storage.

     

    Next, it requests the user the allow the app to (ab)use the Accessibility Service. If granted, it disables Google Play Protect and uses it to perform navigation gestures, record the screen, and capture key presses.

     

    Eventually, the app loads the actual Indian income tax site via WebView instead of phishing pages like past variants and instead steals user credentials by recording the screen and using a keylogger.

     

    loading-real-site.png

    Loading the actual tax site and activating the screen recorder (Cyble)

     

    Drinik will also check if the victim ended up on a URL that indicates a successful login to ensure that the exfiltrated details (user ID, PAN, AADHAR) are valid.

     

    At this stage, the victim is served a fake dialogue box saying that the tax agency found they're eligible for a refund of Rs 57,100 ($700) due to previous tax miscalculations and are invited to tap the "Apply" button to receive it.

     

    refund-message.png

    Code to display the fake refund message (Cyble)

     

    This action takes the victims to a phishing page that is a clone of the real Income Tax Department site, where they are directed to enter financial information, including account number, credit card number, CVV, and card PIN.

     

    phishing-site(3).png
    The phishing site that mimics the real tax portal (Cyble)

    Targeting banks

    To target the eighteen banks, Drinik constantly monitors the Accessibility Service for events related to the targeted banking apps, such as their apps.

     

    keywords.png

    The keywords that activate Drinik's loggers (Cyble)

     

    The targeted banks include SBI (State Bank of India), one of the largest banks in the world, serving 450,000,000 people via a massive network of 22,000 branches.

     

    If there’s a match, the malware collects keylogging data that contain user credentials and siphons them to the C2 server.

     

    During this attack, Drinik abuses the “CallScreeningService” to disallow incoming calls that may interrupt the login and, by extension, the data-stealing process.

     

    blocking-calls.png
    Drinik blocking incoming calls (Cyble)

    Drinik evolving

    While Drinik isn’t as sophisticated or advanced as other banking trojans, its authors appear determined to make it more powerful, constantly adding features that make it harder to detect.

     

    drinik-evolution(1).png

    Evolution of Drinik (Cyble)

     

    Going after Indian taxpayers and banking customers means that Drinik has a massive targeting pool, so every new successful feature potentially translates to substantial financial gains for the malware’s operators.

     

    To avoid this threat, always avoid APK downloads from outside the Play Store and enable biometric authentication, such as 2FA, for logging in to e-banking portals.

     

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...