A new upgraded variant of Drinik Android trojan is targeting 18 Indian banks and stealing personal and bank account information from the victims. Drinik has been circulating in India and operating as an SMS stealer since 2016,

The new campaign

Drinik is impersonating the Income Tax Department of India and targeting potential victims across 18 Indian banks to steal their income tax credentials.
  • The latest variant of the malware, found in August, is being distributed as an APK file (iAssist.apk) that is integrated into the iAssist app for Android.
  • It lures victims to claim an instant tax refund, tricking them into submitting personal details such as full name, Aadhar number, PAN number, and financial information.
  • The phishing scam is targeting 18 Indian banks, including the State Bank of India by abusing Accessibility Service. This way, it obtains the necessary permissions to perform several tasks on the compromised systems.

Other variants

Researchers disclosed two other variants—spotted in February, 2022 and September, 2021—primarily harvesting credentials via phishing pages. However, the latest variant is equipped with some advanced capabilities as well.

What are the advanced capabilities?

  • The latest malware is capable of screen recording and keylogging to harvest credentials. It abuses CallScreeningService to manage incoming calls.
  • It receives commands via FirebaseCloudMessaging and launches overlay attacks.

A previous connection

  • According to Cyble researchers, the latest campaign is launched by the same group that attacked Indian banks in September 2021.
  • The group used the same IP address for its command and control communication in both campaigns.

Conclusion

Drinik malware has evolved into an Android banking trojan with advanced features. The discovery of the new two active Drinik variants this year indicates that its operators have enhanced the framework to launch more attacks in near future. Users are recommended to always avoid downloading apps or APKs from untrusted sources and enable multi-factor authentication.
Cyware Publisher

Publisher

Cyware