Drinik Android Trojan

A new version of Drinik Android trojan has been discovered, which can steal some of your important bank details.

The Indian government had previously issued a warning to Android users about this malware stealing sensitive information of users in name of generating income tax refunds. Now, another version of the same malware with advanced capabilities has been identified targeting users in India and those who use 18 specific Indian banks.

An upgraded version of Drinik malware has been discovered that targets users by sending an SMS with an APK file. It contains an app called iAssist, which impersonates India’s IT Department’s official tax management tool. Once users install the app on their Android phones, it requests them to grant permissions to certain functions. These include the ability to receive, read, and send SMS, read call log, and read and write to external storage.

After this, the app also requests permission to use the Accessibility Service with the intention to disable Google Play Protect. Once a user grants permission, the app gets the opportunity to perform certain functions without letting a user know about it. The app is able to perform navigation gesture, record screen, and capture key presses.

When the app gets all permissions and access to the functions it wants, it opens a genuine Indian income tax website via WebView, rather than loading a phishing page which is something that was done earlier. While the site is real, the app uses screen recording along with keylogging functionality to users’ login credentials.

The app also has the ability to check if the login is successful to make sure that the data. But, the story is not over yet. Once the log-in is done, a fake dialogue box is displayed on the screen, which says that the tax agency has recognized that the user is eligible for a refund of Rs 57,100 because of some miscalculations done previously. The victim is then given an “Apply” button to receive the refund.

This redirects a user to a phishing page, which looks like an original Income Tax Department website. Here, people are asked to enter their financial details, such as account number, credit card number, CVV, and card PIN.

The app also has a code for abusing the Call Screening Service, which basically means it can disallow incoming calls without the user’s knowledge. Additionally, the cited source reported that there are strings in the APK file that “are encrypted to evade detection by antivirus products, and the malware decrypts them during run time using a custom decryption logic.”

Few Awareness

• Avoid downloading any app from third-party websites or via SMS. People should check out apps on Google Play Store or Apple’s App store.
• Avoid giving SMS and call log permissions to an unknown app. In fact, not all the apps require permission to this in order to perform basic functions.
• If you are getting an important link, SMS or an email related to banking, then you should double check it by visiting the official website, and avoid checking it via any third-party sources.
• The new variant of Drinik relies on the Accessibility Service, so users should make sure that they don’t give permission to access it on their Android phone.