CERT-In notified that customers of nearly 27 Indian banks including major public and private banks are at the risk of attack from a new banking trojan malware masquerading as income-tax refund related link. Claimed to be Drinik Malware latest version of SMS Stealer involved in the scam.

The victims first receive an SMS link to a phishing website, disguised as the Income Tax Department website, then asked to fill in a few personal details before being sent a malicious APK file to be downloaded to complete verification. On opening the app, the victim is asked to grant permissions to access SMS, call logs and contacts.

If permission not granted, the same form appears on opening the app asking for data including full name, PAN, Aadhar number, address, date of birth, mobile number, email address and financial details like account number, IFS code, CIF number, debit card number, expiry date, CVV and PIN, the federal cybersecurity agency noted.

Once these details are entered, the application states that there is a refund amount that could be transferred to the user’s bank account.

When the user enters the amount and clicks ‘Transfer’, the application shows an error and demonstrates a fake update screen. While the screen for installing the update is shown, Trojan in the backend sends the user’s details including SMS and call logs to the attacker’s machine.

These details are then used by the attacker to generate the bank specific mobile banking screen and render it on the user’s device. The user is then requested to enter the mobile banking credentials which are captured by the attacker.These attacks are likely to jeopardise the privacy and security of sensitive data ultimately resulting in large scale attacks and financial frauds.