Drinik Android Banking Trojan

The Indian Computer Emergency Response Team (CERT-In) is warning Indian residents about an active attack campaign that deploys an Android malware threat named Drinik. The goal of the threat actor is to obtain sensitive personal information from the compromised Android devices by luring victims with promises of income tax refunds. 

Drinik is not a new threat, as it was used all the way back in 2016. At that time, the functionality of the threat was mostly limited to that of a simple SMS stealer. However, according to CERT-In, the current versions show high levels of development and improvement. The attackers now deploy Drinik as a banking Trojan aimed at collecting banking and financial data alongside other personal details about the victims.

The Attack Chain

The current attack operation begins with the threat actor sending links via SMS messages to unsuspecting users. When clicked, the link leads to a phishing website designed to mimic the official page of the Indian Income Tax Department closely. The fake site asks for personal information about the user before downloading a corrupted application to the device. The application carries the Drinik malware. 

The application acts similarly to the legitimate version of the software product released by the Income Tax Department to help users generate their tax refunds. The fake application asks for various permissions, such as getting access to the SMS messages, call logs and contacts. 

Drinik's Threatening Functionality

After receiving the required permissions, the fake application will display a refund application form. In it, users are asked to provide numerous personal details - full names, PAN, Aadhaar numbers, address, date of birth, etc. The application doesn't stop there. It also inquires about additional sensitive details that might include account numbers, the CIF number, the IFSC code, debit card numbers, CVV, expire data and PIN. The threatening application pretends that all of the information is required for it to generate accurate tax refunds that will subsequently be transferred directly to the user's account.

However, when victims tap on the 'Transfer' button, they are shown an errors message and a fake update screen all the while the Drinik malware is sharing their information with the attackers in the background. The cybercriminals then use the personal information of the victim to generate a specific mobile banking screen that asks for the user's mobile banking credentials. The threat actors can then exploit the collected data in a variety of ways including financial fraud.