Eighteen banks in India have been affected by a new version of the Drinik Android Trojan. in Its report, Cyble Research and Intelligence Labs (CRIL) He said the upgraded version of Drinik that impersonates the Income Tax Department of India has targeted 18 banks.
Drinik was first discovered in 2016 as an SMS thief and the malware has changed over the years. In August 2021, Drinik was noted to be active again.
A month later, India’s Computer Emergency Response Team (CERT-In) warned of malware targeting Indian taxpayers and stated that customers of 27 banks were at risk. During September 2021, taxpayers were explicitly targeted via mobile apps, phishing emails, and SMS messages.
The new version of Drinik targets users by sending an SMS containing the APK file. The file contains an app called iAssist, which simulates the income tax administration’s tax management tool.
When iAssist is installed on an Android phone, the app asks users to allow actions like receive SMS, read SMS, send SMS, read call logs, read external storage and write external storage.
Then, iAssist also asks users to allow it to use the accessibility service with the sole purpose of disabling Google Play Protect.
It then begins abusing the service to obtain the necessary permissions to start screen recording, disable Google Play Protection, perform automatic gestures, and capture keylogs CRIL said in its reportAdding the latest Drinik version loads the original IRS website instead of displaying fake phishing pages.
“Before showing the victim’s login page, the malware displays an authentication screen for biometric verification. When the victim enters the PIN, the malware steals the biometric PIN by recording the screen with MediaProject and also captures keystrokes,” added CRIL.
The malware now sends the stolen details to a Command and Control (C&C) server.
Once the authentication is completed, the malware displays the original website (affiliated with the Income Tax Department) uploaded in the Webview.
Drinik then starts the screen recording as soon as the victim enters the user ID like PAN number, Aadhaar number among others and sends the recording to the C&C server.
“Once the victim is logged in to the original site, the malware executes the onPageFinished() method, which further checks the uploaded URL to check the login status. The malware then checks whether the URL that was entered is valid, the CRIL report said. Uploading it is any of the following and confirms successful user login.”
If the victim is new, the malware will display a message “To use this function, you need to log in first!” The victim is asked to log in. Otherwise, the malware will start phishing, considering that the victim is logged in.
After logging in, the original site redirects to the dashboard url “hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard”.
The malware will now check if this URL is in the onPageFinished() method and display a fake dialog that says, “Our database indicates that you are eligible for an immediate tax refund of Rs 57,100.- from your previous wrong tax calculations so far. Click Apply To apply for an instant refund and get your money back in your registered bank account in minutes.
When the victim clicks “apply”, the malware will open the phishing URL-hxxp://gia.3utilities[.]com/recover/redir.php? i = refundApproved & source = App & uid =.
This URL will redirect to hxxp://192.227.196[.]185/1305275237/uv4h.
#Android #users #beware #Indian #banks #affected #version #Drinik #malware