Eighteen banks in India have been affected by a new version of the Drinik Android Trojan. In its report, the Cyble Research and Intelligence Labs (CRIL) said the upgraded version of Drinik impersonating the Income Tax Department of India has targeted 18 banks.

Drinik was first spotted in 2016 as an SMS stealer and the malware has changed over the years. In August 2021, Drinik was observed to be active again.
A month later, the Indian Computer Emergency Response Team (CERT-In) warned about the malware targeting Indian taxpayers and mentioned that customers of 27 banks were at risk. During September 2021, taxpayers were being targeted explicitly via mobile applications, phishing emails, and smishing.
The new version of Drinik targets users by sending an SMS with an APK file. The file has an application called iAssist, which mimics the tax management tool of the Income Tax Department.
Upon installing iAssist on an Android phone, the app asks users to permit actions such as receiving SMS, reading SMS, sending SMS, reading call logs, reading external storage and writing external storage.
After this, iAssist also asks users to permit it to use the accessibility service with the sole intention of disabling Google Play Protect.
{{/usCountry}}After this, iAssist also asks users to permit it to use the accessibility service with the sole intention of disabling Google Play Protect.
{{/usCountry}}“It then starts abusing the service to obtain the necessary permissions to start screen recording, disable Google Play Protect, execute auto-gestures, and capture key logs,” the CRIL said in its report, adding the latest variant of Drinik loads the genuine website of the Income Tax Department instead of displaying fake phishing pages.
“Before showing the login page to the victim, the malware displays an authentication screen for biometric verification. When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes,” the CRIL added.
The malware now sends the stolen details to the Command and Control (C&C) server.
Once authentication is done, the malware displays the genuine website (of the Income Tax Department) loaded into a Webview.
Drinik then starts screen recording as soon as the victim enters the user ID such as PAN number and Aadhaar number among others and sends the recording to the C&C server.
“Once the victim logs in to the genuine site, the malware executes the onPageFinished() method, which further checks the loaded URL to validate the login status. The malware then checks if the loaded URL is any of the following and confirms the user’s successful login,” the CRIL report said.
If the victim is new, the malware will show a message “To use this functionality, you are required to log in first!” and prompts the victim to log in. Otherwise, the malware will initiate phishing, considering the victim logged in.
After login, the genuine site redirects to the dashboard URL “hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard”.
The malware will now check whether this URL is in the onPageFinished() method and displays a fake dialogue box saying, “Our database indicates that you are eligible for an instant tax refund of Rs.57,100.\– from your previous tax miscalculations till date. Click Apply to apply for an instant refund and receive your refund in your registered bank account in minutes.”
When the victim clicks on Apply, the malware will open the phishing URL- hxxp://gia.3utilities[.]com/Refund/redir.php?i=RefundApproved&source=App&uid= .
This URL will redirect to hxxp://192.227.196[.]185/1305275237/uv4h.php?action=Refund_Approved&id=YWI1MzYxY0A3OTEyNDA0MzY2NTMuY29t&owner=QWRtaW4%3D&source=App&uid= site which impersonates the genuine Income Tax Department to lure victims to submit sensitive information.