Recently a new Android malware is being used by many cybercriminals out there in the attempt of stealing online banking data and user information including common user information too. The Indian Computer Emergency Response Team (CERT-In), a government cyber security agency, is now alerting all the users especially all the mobile banking users about the new malware which targets the uses of Indian banks and has also released the notification explaining the steps in which this malware functions. According to the agency, the new Android malware which is known as ‘Drinik’, is a new mobile banking Android malware that has already targeted the customers of around 27 private and public sector banks in India.
The Drinik Android malware was used to steal SMS data until about five years ago. But as the prevalence of SMS is now decreasing and the majority of user data is moving towards the internet this Drinik malware is now updated by all the cybercriminals so that they can adjust with the new ways of mobile banking and other online ways. Now as this new updated Avatar of the Drinik Android malware has evolved this is actually evolved into a banking Trojan virus.
The working of Drinik malware:
As it is similar to most of the Trojan and pishing-related malware programs, the Drinik virus functions like displaying the customer fake banking screen which is also known as the pishing screen, and thus the user mistakes it for the real banking screen and enters the sensitive banking information. Later this sensitive banking information is then collected by the cybercriminals out there and then they are used to accumulate the data and money from the Real Bank Servers.
Talking about the link first the victim receives an SMS or even an email which includes a link that will lead them to redirect to the phishing screen. The most shocking part is that this email or SMS look the exact same as the official one and also the screen to which it redirects will also the assembled to the original website of the Government of India such as the website of the income tax department, and thus the user mistakes into the real one and go forward with the next step.
According to the cyber security agency, this Android malware is also masquerading as an income tax department app. So when the user downloads this app the app then asks for access to the necessary permissions such as access to the SMS records, contacts, call logs, etc. Even if the user doubts and does not enter the phishing website which is similar to the original one, the same screen with the form will be displayed in the android app. The form will include the spaces to fill information such as full name, PAN card number, Aadhar card number, address, date of birth, mobile number, and email ID. The form will also ask users to enter some sensitive details like account number, IFSC code, CIF number, CVV, expiry date, PIN, and debit card number.
This Android malware will also present itself as a government form and will ask the user for the option of transferring the refund amount to their account. So as the user enters the amount and goes for the option of transfer the application will show an error and we’ll show a fake update screen. So during this process, the virus will send details to cybercriminals like an SMS, call logs, and banking details.
To identify the malware the agency shared IOC to identify it:
File Hashes:
103824893e45fa2177e4a655c0c77d3b
28ef632aeee467678b9ac2d73519b00b
78745bddd887cb4895f06ab2369a8cce
8cc1e2baeb758b7424b6e1c81333a239
e60e4f966ee709de1c68bfb1b96a8cf7
00313e685c293615cf2e1f39fde7eddd
04c3bf5dbb5a27d7364aec776c1d8b3b
C2 servers:
jsig.quicksytes[.]com
c4.mypsx[.]net
fcm.pointto[.]us
rfb.serveexchange[.]com
File Type: .apk
