Skip to content

Android malware caught targeting 18 Indian banks

Security analysts at Cyble have discovered a new version of the Drinik Android malware that’s currently going around targeting customers from 18 Indian banks impersonating the Income Tax department of India in a bid to steal personal and financial information from unsuspecting victims. 

This isn’t the first time Drinik has targeted Indian users. The malware has been around the country since 2016, when it was operating as an SMS stealer. Since then, the malware has taken up numerous forms, including one that CERT-In warned about back in September 2021, targeting customers from 27 Indian banks at the time. 

The latest version has developed into a full banking trojan with capabilities including

  • Abuse of accessibility services
  • Screen recording
  • Keylogging
  • Credential harvesting via phishing pages
  • Downloading malicious payloads.

This new version also communicates with a Command & Control (C2) server whose IP address matches the one used in an old campaign, hinting that the same threat actor might be behind the two attacks. 

Android malware caught targeting 18 Indian banks
Evolution of the Drinik malware since September 2021. | Source: Cyble

Since the September 2021 variant, two more malware versions have been discovered, introducing screen recording and keylogging features. Researchers discovered that while the first version used a simple phishing page, the second version implemented screen recording alongside phishing. 

The latest version, as observed on October 18, adds more to this by also implementing a keylogger on top of the two existing methods to ensure no data entered by the user is left untracked. The strings present in the source code are also encrypted to avoid detection with a custom decryption logic to cover the malware’s tracks further. 

In the News: Microsoft fixes a critical vulnerability with its driver blocklist

Fake tax refunds offered to steal financial information

The scam begins with an APK file called ‘iAssist’ posing as the official tax management app from the Indian Income Tax department. Once installed, the app takes permission to receive, read and send SMS, read the user’s call log and access external storage. Finally, the app asks permission to use accessibility services which, if granted, allows it to disable Google Play Protect and perform navigation gestures, screen recording and capture keystrokes. 

Android malware caught targeting 18 Indian banks
The malware presents a real site and uses screen recording to steal credentials. | Source: Cyble

Once the app has all the permissions it needs, it loads up the official website of the Income Tax department and uses screen recording and keylogging instead of phishing to steal user data. From the data captured, the app performs a real-time check to see if the credentials allow it to log into the tax department’s site, ensuring that the data extracted, including user ID, PAN and Aadhar numbers are valid. 

To cap off the scam, the victim is presented with a fake page informing them that they’re eligible for a tax refund of ₹57,100 ($692.32 at the time of writing) due to tax miscalculations. Users are invited to a phishing page to enter financial details, including their account and credit card numbers, CVV and pin, to receive the amount. This is where their financial data gets stolen and sent back to the C2 server. 

Android malware caught targeting 18 Indian banks
Fake tax refund page asking for account number and credit card information. | Source: Cyble

The app further abuses accessibility services to monitor apps from the 18 banks it targets. When a user launches a bank’s app, the malware hops into action and steals the login credentials via keylogging to be sent to the C2 server. This is also where the ‘CallScreeningService’ is abused to block incoming calls without the user’s knowledge to prevent interruptions in the login process. 

In the News: Shutterstock and Getty partner with OpenAI and BRIA

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

We may earn a commission if you buy something from a link on this page. Thanks for your support.







>