Analysts at Cyble said that a new Android version of the Drinik Trojan targets 18 Indian banks and masquerades as the country's official tax app to steal victims' personal information and bank credentials.
According to experts, Drinik has been attacking India since 2016, but since September 2021 it has been operating as a banking Trojan for Android with the following features:
- screen recording;
- logging activities;
- use of accessibility services;
- execution of overlay attacks.
The latest version of Drinik comes in the form of an APK file of the iAssist app, which is supposedly the official tax management tool in India. Once installed, it asks for permission to access SMS, the user's call log, and external storage.
Drinik also asks for permission to use the Accessibility Service. Once accessed, the malware disables Google Play Protect and uses it to perform navigation gestures, screen recording, and capture keystrokes.
As a result, Drinik loads a real Indian tax administration site via WebView and steals the user's credentials by recording the screen and using a keylogger.
At this point, a bogus dialog box is displayed offering the user a $700 tax refund due to previous tax miscalculations.
When the user agrees and clicks the "Accept" button, he is redirected to a phishing page that is a clone of the real site of the Department of Income Tax, where he needs to enter payment details.
In order to target the 18 banks in India, Drinik constantly monitors the accessibility service for events and keywords related to targeted banking applications.
If there are matches, the malware collects the keylogger data containing the user's credentials and exfiltrates it to the command and control (C&C) server. During the attack, Drinik uses the "CallScreeningService" to deny incoming calls that could interrupt the login.
One of the target banks is the State Bank of India (SBI), one of the largest banks in the world, serving 450 million people through an extensive network of 22,000 branches.
The harassment of Indian taxpayers and banking customers means that Drinik has a huge pool of targets, so every new successful feature potentially results in significant financial gains for malware operators.
Comments 0