A new variant of the Drinik Android malware now targets 18 Indian banks while disguising itself as the nation’s official tax management app to steal victims’ personal information and login credentials. In September 2021, Drinik, an SMS stealer spreading in India since 2016, gained banking trojan characteristics that target 27 financial institutions by sending victims to phishing URLs.
According to analysts at Cyble who have been monitoring the situation, the malware’s makers have transformed it into a full Android banking trojan with screen recording, keylogging, exploitation of accessibility services, and the capacity to conduct overlay assaults.
APK file called “iAssist,” which is said to be the official tax administration tool of India’s Income Tax Department, contains the most recent iteration of the malware. Upon installation, it demands access to read the user’s call history, read and write to external storage, and receive, read, and send SMS. The user is then prompted to provide permission for the app to (ab)use the Accessibility Service. If allowed, it turns off Google Play Protect and takes advantage of it to record the screen, record keystrokes, and execute navigational motions. Instead of loading phishing sites as previous iterations did, the program eventually opens the real Indian income tax website through WebView and then steals user credentials by recording the user’s screen and employing a keylogger.
In order to confirm the validity of the exfiltrated information (user ID, PAN, and AADHAR), Drinik will additionally examine if the victim arrived at a URL that signals a successful login. At this point, the victim is presented with a phony dialogue box claiming that the tax authority has determined they are entitled to a refund of ₹57,100 ($700) due to prior tax calculations errors and invites them to click the “Apply” button to do so.
The victims are then asked to submit financial information, such as account numbers, credit card numbers, CVVs, and card PINs, on a phishing page that is a copy of the legitimate Income Tax Department website. Drinik continuously scans the Accessibility Service for events pertaining to the targeted financial applications, such as their apps, to target the eighteen banks. One of the biggest banks in the world, SBI (State Bank of India), which has 22,000 branches and serves 450,000,000 customers, is among the targeted banks.
In the event of a match, the malware seizes user credentials from keylogging data and sends them to the C2 server. Drinik makes use of the “CallScreeningService” during this attack to prevent incoming calls that can interfere with the login process and, consequently, the data-stealing process. Even while Drinik isn’t as clever or advanced as other banking trojans, its developers regularly add elements that make it more difficult to detect in an apparent effort to make it more potent.
Drinik has a huge target audience because it targets Indian taxpayers and banking consumers. Therefore, any new successful feature might result in significant financial profits for the malware’s operators. Always avoid downloading APKs from sources other than the Play Store and use biometric authentication, such as 2FA, when connecting to e-banking sites to prevent this threat.