Sign in

Android users beware! 18 Indian banks affected by new version of Drinik malware

In its report, the Cyble Research and Intelligence Labs (CRIL) said the upgraded version of Drinik impersonating the Income Tax Department of India has targeted 18 banks.

Published on: Oct 29, 2022, 14:43:21 IST
By , New Delhi
Share
Share via
  • facebook
  • twitter
  • linkedin
  • whatsapp
Copy link
  • copy link

Eighteen banks in India have been affected by a new version of the Drinik Android Trojan. In its report, the Cyble Research and Intelligence Labs (CRIL) said the upgraded version of Drinik impersonating the Income Tax Department of India has targeted 18 banks.

During September 2021, taxpayers were being targeted explicitly via mobile applications, phishing emails, and smishing. (Representative image)
During September 2021, taxpayers were being targeted explicitly via mobile applications, phishing emails, and smishing. (Representative image)

Drinik was first spotted in 2016 as an SMS stealer and the malware has changed over the years. In August 2021, Drinik was observed to be active again.

A month later, the Indian Computer Emergency Response Team (CERT-In) warned about the malware targeting Indian taxpayers and mentioned that customers of 27 banks were at risk. During September 2021, taxpayers were being targeted explicitly via mobile applications, phishing emails, and smishing.

The new version of Drinik targets users by sending an SMS with an APK file. The file has an application called iAssist, which mimics the tax management tool of the Income Tax Department.

Upon installing iAssist on an Android phone, the app asks users to permit actions such as receiving SMS, reading SMS, sending SMS, reading call logs, reading external storage and writing external storage.

After this, iAssist also asks users to permit it to use the accessibility service with the sole intention of disabling Google Play Protect.

“It then starts abusing the service to obtain the necessary permissions to start screen recording, disable Google Play Protect, execute auto-gestures, and capture key logs,” the CRIL said in its report, adding the latest variant of Drinik loads the genuine website of the Income Tax Department instead of displaying fake phishing pages.

“Before showing the login page to the victim, the malware displays an authentication screen for biometric verification. When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes,” the CRIL added.

The malware now sends the stolen details to the Command and Control (C&C) server.

Once authentication is done, the malware displays the genuine website (of the Income Tax Department) loaded into a Webview.

Drinik then starts screen recording as soon as the victim enters the user ID such as PAN number and Aadhaar number among others and sends the recording to the C&C server.

“Once the victim logs in to the genuine site, the malware executes the onPageFinished() method, which further checks the loaded URL to validate the login status. The malware then checks if the loaded URL is any of the following and confirms the user’s successful login,” the CRIL report said.

If the victim is new, the malware will show a message “To use this functionality, you are required to log in first!” and prompts the victim to log in. Otherwise, the malware will initiate phishing, considering the victim logged in.

After login, the genuine site redirects to the dashboard URL “hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard”.

The malware will now check whether this URL is in the onPageFinished() method and displays a fake dialogue box saying, “Our database indicates that you are eligible for an instant tax refund of Rs.57,100.\– from your previous tax miscalculations till date. Click Apply to apply for an instant refund and receive your refund in your registered bank account in minutes.”

When the victim clicks on Apply, the malware will open the phishing URL- hxxp://gia.3utilities[.]com/Refund/redir.php?i=RefundApproved&source=App&uid= .

This URL will redirect to hxxp://192.227.196[.]185/1305275237/uv4h.php?action=Refund_Approved&id=YWI1MzYxY0A3OTEyNDA0MzY2NTMuY29t&owner=QWRtaW4%3D&source=App&uid= site which impersonates the genuine Income Tax Department to lure victims to submit sensitive information.

  • HT News Desk
    ABOUT THE AUTHOR
    HT News Desk

    Follow the latest breaking news, major developments and agenda-setting stories from India and around the world with the newsdesk at Hindustan Times. Operating round the clock, the desk brings together experienced editors, reporters and correspondents to deliver fast, accurate and contextual reporting across subjects that influence public policy, governance, business, society and international affairs. The HT News Desk covers politics, elections, government policies, the economy, business and markets, science and technology, the environment, law and order, infrastructure, education, climate issues and geopolitics, while closely tracking developments across states, institutions and global capitals. The team also leads coverage of major breaking news events, policy announcements, court proceedings, natural disasters, public emergencies and significant international developments. Reports published by the newsdesk are based on information gathered from reporters on the ground, official statements, government agencies, court records, regulatory filings, recognised institutions and other authoritative sources. Stories undergo editorial scrutiny and verification processes to ensure accuracy, fairness and relevance, and are updated as events evolve and additional information becomes available. Whether covering a key political decision in New Delhi, an economic policy shift affecting millions, a landmark court ruling or a major global event, the HT News Desk aims to provide readers with reliable, fact-based journalism that delivers not only the latest developments but also the context and analysis needed to understand their wider implications.Read More