Drinik Android trojan is utilizing a brand new model to focus on 18 Indian banks, posing because the app utilized by the nation to handle tax funds. The primary goal of those criminals is to steal private and checking account info from their victims.
Malware generally known as Drinik has been within the information since 2016 and is a comparatively outdated malware. Because of this malware, the Indian authorities has beforehand issued a warning to Android customers concerning the opportunity of stolen info getting used to generate earnings tax refunds.
At present, the Drinik app is offered as an APK file that’s built-in into the iAssist app for Android. Fixed monitoring of the completely different variants of Drinik Android malware has been carried out by Cyble Analysis & Intelligence Labs over the previous few years.
Within the case of this malware variant, it communicates with a Command & Management (C&C) server hosted on IP 198[.]12[.]107.13. The earlier marketing campaign had additionally used the identical IP handle for its command and management communication, which signifies that the identical Risk Actor (TA) was behind each campaigns.
Drinik’s Evolution
CRIL has noticed this malware to have 3 completely different variants since final yr. In September 2021, the primary malware variant appeared on the scene, which was used to steal credentials utilizing phishing pages.
Two new variants of the virus have been found within the wild in the course of the yr 2022, which embrace the flexibility to report display screen exercise and log keystrokes.
Nonetheless, the brand new variant of the malware has completely different options, and that’s why we’ve talked about all the weather within the under checklist:-
- Keylogging
- Abuses Accessibility
- A phishing web page is getting used to reap credentials
- The payload APK is downloaded
- Sends SMS from the contaminated system
- Steal incoming SMSs
- Overlay assault
- Display recording
- Receiving instructions through FirebaseCloudMessaging
Stealing Consumer’s Information
In its most up-to-date model, the malware seems as an APK named ‘iAssist,’ which is allegedly the official tax administration device of the Earnings Tax Division of India.
When the applying is put in, it’ll request entry to the person’s SMS, name log, and exterior storage gadgets. Whereas aside from this, a permission request can even be made for receiving, studying, and sending SMS messages.
The following step is to ask the person in the event that they want to give the app permission to make use of the Accessibility Service. Upon granting permission, it makes use of Google Play Defend to carry out the next duties:-
- Navigation gestures
- Report the display screen
- Seize keystrokes
By the tip of the app, the precise Indian earnings tax web site might be loaded through WebView as a substitute of phishing pages; the app might be set as much as steal the person credentials via display screen recordings and keylogging.
APK Metadata Data
- App Title: iAssist
- Bundle Title: lincoln.auy.iAssist
- SHA256 Hash: 86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523
Banks have been focused
Utilizing the Accessibility Service, Drinik always retains an eye fixed on occasions associated to the focused banking apps in order that they will simply implement their attacking course of.
A number of banks are being focused, together with SBI (State Financial institution of India), a financial institution that serves greater than 450,000,000 individuals every day with an enormous community of twenty-two,000 energetic branches.
Utilizing the keystroke information collected from the customers, the malware will try to take advantage of that person’s credentials to ship them to a C2 server if it finds any match.
Suggestions
The cybersecurity specialists have advisable some mitigations, so we’ve listed them under:-
- Software program ought to solely be downloaded and put in from official apps shops.
- Untrusted sources ought to by no means have entry to your card particulars, CVV quantity, card PIN, or Internet Banking credentials.
- Be sure to are utilizing a good antivirus.
- Multi-factor authentication needs to be enforced wherever attainable.
- All the time use sturdy and distinctive passwords.
Additionally Learn: Obtain Safe Net Filtering – Free E-book
