Friday, June 14, 2024

Drinik Malware With Advanced Capabilities Targeting 18 Indian Banks

Drinik Android trojan is using a new version to target 18 Indian banks, posing as the app used by the country to manage tax payments. The main aim of these criminals is to steal personal and bank account information from their victims.

Malware known as Drinik has been in the news since 2016 and is a relatively old malware. As a result of this malware, the Indian government has previously issued a warning to Android users regarding the possibility of stolen information being used to generate income tax refunds.

Currently, the Drinik app is available as an APK file that is integrated into the iAssist app for Android. Constant monitoring of the different variants of Drinik Android malware has been conducted by Cyble Research & Intelligence Labs over the past few years.

In the case of this malware variant, it communicates with a Command & Control (C&C) server hosted on IP 198[.]12[.]107.13. The previous campaign had also used the same IP address for its command and control communication, which indicates that the same Threat Actor (TA) was behind both campaigns.

Drinik’s Evolution

CRIL has observed this malware to have 3 different variants since last year. In September 2021, the first malware variant appeared on the scene, which was used to steal credentials using phishing pages.

Two new variants of the virus have been discovered in the wild during the year 2022, which include the ability to record screen activity and log keystrokes.

However, the new variant of the malware has different features, and that’s why we have mentioned all the elements in the below list:-

  • Keylogging
  • Abuses Accessibility
  • A phishing page is being used to harvest credentials
  • The payload APK is downloaded
  • Sends SMS from the infected device
  • Steal incoming SMSs
  • Overlay attack
  • Screen recording
  • Receiving commands via FirebaseCloudMessaging

Stealing User’s Data

In its most recent version, the malware appears as an APK named ‘iAssist,’ which is allegedly the official tax management tool of the Income Tax Department of India.

When the application is installed, it will request access to the user’s SMS, call log, and external storage devices. While apart from this, a permission request will also be made for receiving, reading, and sending SMS messages.

The next step is to ask the user if they wish to give the app permission to use the Accessibility Service. Upon granting permission, it uses Google Play Protect to perform the following tasks:-

  • Navigation gestures
  • Record the screen
  • Capture keystrokes

By the end of the app, the actual Indian income tax website will be loaded via WebView instead of phishing pages; the app will be set up to steal the user credentials through screen recordings and keylogging.

APK Metadata Info

  • App Name: iAssist
  • Package Name: lincoln.auy.iAssist
  • SHA256 Hash: 86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523

Banks were targeted

Using the Accessibility Service, Drinik constantly keeps an eye on events related to the targeted banking apps so that they can easily implement their attacking process.

Several banks are being targeted, including SBI (State Bank of India), a bank that serves more than 450,000,000 people daily with a huge network of 22,000 active branches.

Using the keystroke data collected from the users, the malware will attempt to exploit that user’s credentials to send them to a C2 server if it finds any match.


The cybersecurity experts have recommended some mitigations, so we have listed them below:-

  • Software should only be downloaded and installed from official apps stores.
  • Untrusted sources should never have access to your card details, CVV number, card PIN, or Net Banking credentials.
  • Make sure you are using a reputable antivirus.
  • Multi-factor authentication should be enforced wherever possible.
  • Always use strong and unique passwords.

Also Read: Download Secure Web Filtering – Free E-book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles