Fake Income Tax App Can Steal Your Money From Bank A/C: Customers Of SBI & 18 Other Banks At High Risk!

While risking data of 18 bank customers, an upgraded version of Drinik malware has been discovered.

Upgraded Drinik Malware 

It appears that this malware has evolved into an Android trojan that can steal important personal details and banking credentials, According to analysts at Cyble (via Bleeping Computers).

Here Drinik is a malware ailing the banking industry since 2016. 

Then it was operated as an SMS stealer, but now it has added banking trojan features. 

So, it can keylogging, abusing Accessibility services, and performing overlay attacks.

How Does Drinik Android Trojan Attack?

To start with, the latest version of Drinik malware comes in the form of an APK named iAssist. 

As we know that iAssist is the official tax management tool of the India Tax department.

 Once it is installed on a device, the APK file will ask for permission to read, receive and send SMS in addition to reading the user’s call log. 

This will also request permission to read and write to external storage.

So, Drinik relies on Accessibility Service same as other banking trojans.

 Once launched, the malware prompts the victim to grant permissions, followed by a request to enable Accessibility Service. 

Then it disables Google Play Protect and starts executing auto-gestures and capturing key presses.

After this it loads the genuine Indian income tax site, instead of displaying fake phishing pages. 

Instead of showing the login page to the victim, the malware will display an authentication screen for biometric verification. 

Once a victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes. 

These stolen details are then sent to the C&C server.

Who Are The Victims?

Interestingly, the latest version of Drinik, the TA only targets victims with legitimate income tax site accounts. 

As soon as the victim logs into the account successfully, it shows a fake dialogue box on the screen mentioning the message “Our database indicates that you are eligible for an instant tax refund of Rs 57,100 – from your previous tax miscalculations till date. Click Apply to apply for instant refund and receive your refund in your registered bank account in minutes,”.

This is when the user is redirected to a phishing website when he clicks on the Apply button. 

Next, this malware prompts the victim to submit personal details such as full name, Aadhar number, PAN number, and other details along with financial information, which includes Account number, Credit card number, CVV, and PIN. 

This data is again sent to the C&C servers.

So far, this Drinik trojan malware has targeted banks using the Accessibility Service for events related to the targeted banking apps, such as their apps.

Basically, this malware is abusing the “CallScreeningService” to disable incoming calls to interrupt the login and steal data. 

So far, this malware has targeted 18 customers and SBI is one of them.