New Delhi. A new version of Drinik Android Trojan has reportedly been spotted that can steal important bank details of people. Drinik is an old malware that has been in the news since 2016. The Indian government had earlier issued a warning to Android users about this malware that was stealing personal information of users in the name of generating income tax refunds. Now another version of the same malware with advanced capabilities has been spotted by Cyble. It is specifically targeting users in India and users of 18 specific Indian banks. At present, out of these banks, we clearly seem to be the target of SBI users Drinik.
New Drinic Android Banking Trojan Found
Drinik is an advanced version of malware that is targeting users by sending an SMS with the APK file. This includes an app called iAssist which takes the form of India’s official tax management tool for Income Tax. Once users have installed the app on their Android phone, it asks them for permission for certain functions. These include the ability to receive, read and send SMS, read call logs, and read and write to external storage.
The app then also requests permission to use the Accessibility service with the intention of disabling Google Play Protect. Once a user gives permission, the app gets a chance to do something without the users informing about it. The app is capable of capturing navigation gestures, record screen and key presses.
When the app gets access to all permissions and functions of your choice, it opens a real Indian Income Tax website via webview instead of loading a phishing page which was done earlier. While the site is original, the app uses screen recording with keylogging functionality for the login credentials of the users.
The app also has the ability to check whether the login is successful to confirm that the data being stolen is accurate. Once logged in, a fake dialog box opens on the screen, which states that the tax agency has assumed that the user is eligible for a refund of Rs 57,100 due to some wrong assumptions made earlier. Then the victim gets the “Apply” button to get the cash refund. It redirects a user to a phishing page which looks like a real Income Tax Department website. Here people are asked to enter their financial details such as account number, credit card number, CVV and card PIN etc.
Cyble revealed that the app also has a code for abusing the call screening service, the real use of which is that it can reject incoming calls without users’ knowledge. It has also been found that the APK file contains strings that are encrypted to avoid detection by antivirus products, and the malware decrypts them during run time using custom decryption logic. Avoid downloading any app through third party website or SMS. People should look for apps on Google Play Store or Apple’s App Store.
Refrain from giving SMS and call log permissions to an unknown app. Not all apps have permission to actually perform basic tasks. In such a situation, users should be careful. If you are getting any important link, SMS or email related to banking, then you should check it again by visiting the official website. Refrain from checking it with any third party sources. The new version of Drinic relies on the Accessibility service. So users should confirm that they do not allow access to it on their Android phones.