18 Indian banks are currently targeted by a new strain of Drinik Android malware. Investigations revealed that the new malware variant impersonates India’s tax management application to steal personal data and banking information.
The Drinik authors have developed their backdoor as a full-pledged Android banking trojan that could execute screen recording, overlay attacks, and keylogging capabilities. Moreover, the malware could also abuse the Accessibility services of a target.
The latest Drinik version endorses itself as an APK dubbed iAssist, an Indian Income Tax Department’s tax management app.
This malicious app prompts the user to let its operators receive, read, send SMS, and write to external storage. Subsequently, the fake app requests its target to allow it to use the Accessibility Service. The threat actors could also disable Google Play Protect if granted by the user.
Thus, the app could load the legitimate Indian income tax site through WebView, which will benefit them as they can steal user credentials through keylogging and screen recording.
The Drinik Android malware is cautious with its actions.
According to researchers, the Drinik Android malware reviews the landing page where its victims will land to ensure that their exfiltrated data are authentic. The actors will then lure its victims by offering a refund for an alleged tax miscalculation and prompting them to click the ‘Apply’ button to receive it.
Once the users click the ‘Apply’ button, the page will take them to a phishing webpage identical to the legitimate Tax Department site. Potential victims would input necessary details such as account numbers, credit card data, CVV, PIN, and financial information.
Currently, the Drinik malware operators could target banks by continuously monitoring its Accessibility Services for events related to banking apps.
Once the Drinik actors find a match to a targeted bank, they could collect keylogging information containing user credentials that they could harvest and send to their command-and-control server.
Lastly, the adversaries exploit CallScreeningService to obstruct incoming calls that may affect the data-stealing process and compromise their cybercriminal operation.
The Drinik Android malware’s threat compels people to be extra vigilant in their online activities. Researchers advise only installing applications from legitimate sources, including the iOS App Store and Google Play Store.
Moreover, users must avoid sharing their card details with untrusted entities, enable MFA and biometric security features, activate effective AV solutions, use strong account passwords, avoid opening suspicious links sent by unknown sources, enable Google Play Protect on Android devices, and keep devices and operating systems up to date.
