An upgraded version of the Android banking trojan ‘Drinik’ was found duping Indian taxpayers. As per reports, the app ‘iAssist’ was laced with the latest version of the Drinik malware and impersonated the Income Tax Department of India. It targeted 18 Indian banks, including the State bank of India.
Researchers from the Cyble Research & Intelligence Labs (CRIL) found that the malware used the command and control server hxxp://gia[.]3utilities.com hosted on IP 198[.]12.107[.]13, which was noticed using another variant of the Drinik malware in earlier campaigns. The third version, which is the latest version, takes users to the official website of the Income Tax Department, further leveraging trust among users. The APK uses the name iAssist, which is the official tax management tool of the Indian tax department.
How was the attack launched?
When users installed Drinik injected iAssist, it asked for several permissions to access the device, such as permission to read, receive and send SMS, read the user’s call logs and read and write external storage. The app then took users to the official website, displaying a fake dialogue box asking them to enter their account details. These details were stolen in the process, and a fake message showing an instant tax refund to the user surfaced. The phony instant tax refund message was used to further the attack by taking the user to the phishing site.
With this attack, the user’s biometric data, keystrokes, screen activities, PAN card, Aadhaar card, and other ID card details were also stolen. During verification, the app also exfiltrated every detail, including credit card number, CVV and PIN. Users were shown a confirmation message to approve all the data entered and were lastly asked to enter their income tax return details using net banking credentials. The malware-infected app sent all the information to the C&C server. The individuals impacted by this attack have legitimate income tax site accounts.
CRIL researchers spoke with The Cyber Express team and reiterated the steps to maintain online safety while using apps. They said,
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device to avoid unauthorized access obtained using malicious activities such as keylogging and screen recording.
The Drinik malware
The Drinik malware was first detected in 2016 as an SMS stealer and later in August 2021 with an added banking trojan feature. The Indian Computer Emergency Response Team (CERT-In) reported about a campaign using Drinik malware in September 2021 that also targeted Indian tax payers.