An advanced version of the Drinik malware has affected more than 18 Indian banks.
Over the years, the Drinik malware has undergone various modifications and last year CERT-In (Indian Computer Emergency Response Team) issued an advisory on this virus which affected users of 27 banks. Since then, the Drinik malware has received a few modifications that allow it to record your screen and log keystrokes.
The updated version of the malware, disguised as iAssist income tax service website tool, tricks the victim into granting unlimited access and stealing valuable information.
How Drinik malware steals your financial information
The Drinik malware comes in the form of an APK file named iAssist. Android package with the file extension apk is the file format used by the Android operating system and a number of other Android-based operating systems for the distribution and installation of mobile applications, mobile and middleware games. The iAssist is the official tax management tool of the Income Tax Department in India.
Once installed, the Drinik malware will request permission to read, receive and send SMS messages in addition to reading the user’s call log. It also asks for permission to read and write to external storage. Similar to other banking trojans, Drinik relies on the accessibility service. Since most apps require this feature, many users don’t pay attention when they click the “grant access” button. This should not be taken lightly.
The malware then disables Google Play Protect and starts performing automatic gestures and capturing key presses.
Then it loads real Indian income tax site, instead of showing fake phishing pages. Before showing the login page to the victim, the malware will display an authentication screen for biometric verification.
When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes. The stolen details are then sent to the C&C server.
Worryingly, in the latest version of Drinik, the TA only targets victims with legitimate accounts on the income tax site. After the victim successfully logs into the account, a fake dialog box will appear on the screen stating the message below: Our database indicates that you are eligible for an instant tax refund of ₹57,100 – from your previous tax calculation errors to date.
Click Apply to request an instant refund and receive your refund in your saved bank account within minutes. This is where the user is redirected to a phishing site when he clicks the apply button. The malware now prompts the victim to submit personal information such as full name, Aadhar number, PAN number and other details along with financial information including account number, credit card number, CVV and PIN. The stolen data is again sent to the C&C servers.