A brand-new version of the Drinik Android malware has targeted 18 banks in India. The Trojan horse impersonated the country’s dedicated tax management application to steal the personal information and bank credentials of customers.

The Drinik malware has been in circulation in India since back in 2016, serving as a solution for stealing SMS messages. However, as of September last year, it increased its toolkit for attacks with banking trojan features. This new capacity has seen the malware aimed at 27 different financial institutions, directing victims to malicious webpages designed to steal their data.

Threat analysts based at Cyble have been tracking the malicious software and have reported that its cybercriminal developers have now evolved the product into a comprehensive Android banking trojan. As a result, it now has a long list of abilities, including keylogging and screen recording, but can also abuse Accessibility services and perform overlay attacks.

Harvesting credentials from legitimate websites

The latest edition of the Trojan malware comes as an Android Package Kit (APK) called ‘iAssist,’ which masquerades as the Income Tax Department of India’s official tool for tax management.

When installed, it requests specific permissions from users to read, receive and send SMS messages, as well as read the user call log. It also requests the ability to both read and write data to external storage when necessary.

The next user request is to allow the application to abuse the Accessibility Service. When granted, the malicious app disables Google Play Protect and then uses it to carry out navigation gestures, log key stroke and record screen presses.

After this, the application loads the authentic Indian income tax site using WebView rather than phishing pages like previous editions, and instead harvests user credentials by using a keylogger and recording the screen.

The Drinik malware also checks to see if the target navigated to a URL indicating a successful login to make sure that the stolen are valid and valuable.

From here, the user is shown a fake dialogue box stating that the tax agency has found that they are eligible for a considerable refund due to a tax miscalculation and are invites them to tap a button marked “Apply” to receive the money owed to them.

Caught in a phishing snare

If a user clicks “apply”, they are taken directly to a dedicated phishing page that is a cloned version of the legitimate Income Tax Department website. On the malicious landing page, they are directed to input sensitive financial information. This includes their bank account number, CVV number, credit card number and card PIN.

To target the 18 banks, Drinik malware is constantly monitoring the Accessibility Service for all events related to the banking applications it targets, like their apps. This allows them to target customers of the 18 banks. Among the targeted financial institutions is the State Bank of India (SBI), one of the world’s largest banks. It has an extensive network with over 22,000 different branches and currently serves 450 million customers.