Home / Advisory / The Banking Trojan targeting Banking Apps on Smart Mobile Phones making the round: The New Version of Drinik malware Targeting Indian Consumers of 18 such Banks

The Banking Trojan targeting Banking Apps on Smart Mobile Phones making the round: The New Version of Drinik malware Targeting Indian Consumers of 18 such Banks

Posted on
Cyber Secure India

A ‘Banking Trojan’ is a piece of malware that is used primarily to steal banking credentials by remotely installing malicious software on a victim’s computer system or Smart Mobile Phone. ‘Banking Trojans’ are tailored to specific types of computers and is seen to be using the Windows registry for installation, in its earlier metaphor. (What is a Trojan: What is a Trojan? A trojan is any type of malicious program disguised as a legitimate one) Also we can define a ‘Banking Trojan’ as a variant of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems.

The sophistication of this Malware was for years restricted to the Desktop or Laptop Operating System Machine. However, post its penetration into the Indian Banking system in year 2016, the new version thereof has been more potent and is aimed at penetration into most of the Android devices, through User Behaviour Manipulation.

In a recent development, the metaphor of the Old Version of the Banking Trojan, “Drinik” has made it into the Androids. This new variant of the Drinik Android malware is said to be targeting Indian Banks, as reported. The revised strategy to fool consumers is through the means of masquerading, and guising as the country’s official tax management application. Here again the aim is to obtain victims’ personal information and banking credentials.

The Modus-Operand

The malware Drinik was first noticed in September 2021, but now the bad actors have added more capabilities to protect themselves from detection and have also built in more capabilities with an aim to target larger audience.

  • The latest version of the malware comes in the form of an APK named ‘iAssist,’ which is supposedly India’s Income Tax Department’s official tax management tool.
  • The installation of this new app, may be directed through a targeted SMS Campaign or by prompting a popup from other spurious websites.
  • Here again the installation of the Legitimate App masquerades the hackers utilities which is done in the backdoor once permissions are granted by the user. The Hacker is seen to be utilising the ‘grant permissions’ to the Tail App, that is associated (by the hacker) with “iAssist”
  • Upon installation, the permissions that is sought includes: receive, read, and send SMS, read the user’s call log, and read and write to external storage, etc.
  • Remember, here that the inherent Google Safety feature is required to be disabled, so as to facilitate the hacker to also install the ‘KeyLogger’ App.
  • Next, it requests the user the allow the app to (ab)use the Accessibility Service. If granted, it disables “Google Play Protect” and uses it to perform navigation gestures, record the screen, and capture key presses.
  • Further, the actual ‘Indian Income Tax site’ is now loaded through the ‘WebView’. This is done through the Spurious App installed in the backdrop. (In the earlier version the similar phishing pages was being loaded.
  • Now the stealing of credentials is done through the recording of the mobile screen and using the keylogger.
  • At this stage, the victim is served a fake dialogue box saying that the tax agency found they’re eligible for a refund of Rs 57,100 ($700) due to previous tax miscalculations and are invited to tap the “Apply” button to receive it.
  • This now is the final intent of the hacker; on clicking “Apply”, this action takes the victims to a phishing page that is a clone of the real Income Tax Department site, where they are directed to enter financial information, including account number, credit card number, CVV, and card PIN.
  • This data is then pushed to the C2 server.

Cyber Secure India”, during its analysis, was not able to list out the affected Banks, however, the based on the technique employed, all banks can be affected by this Trojan.

Safety Measures to Protect Your Banking Credentials

Presently, this form of attack is only found for the Android Platform of Smart Phones and Tabs. And here below are a few advisory to ensure your safety while using Smart Phones for Banking Purposes:

  • It is advised to update the Browser being used on the Smart Phone, and also ensure that the Security Patches are always updated on the device.
  • Don’t install software recommended by an SMS message or from an unfamiliar website.
  • Always double-check information received through a link, SMS, or email with regards to Banking instructions and related matters.
  • It will always be a good practice to check if the “Google Play Protect” is always turned ‘ON’ while downloading and installing any app on the Smart Phone.
  • It is also advisable to only download apps on the Android phone from Google Play Store or Apple App Store, and completely avoid side-loading apps or APKs from third-party app stores or websites.
  • Enable biometric authentication security on apps and for the lock screen. Or use of PIN based Access for the Smart Phone.
  • Never let an unidentified app access to your text messages or call history.
  • Don’t give all permissions of your phone to all apps.
  • Since the latest Drinik version uses the Accessibility Service, Android users should deny access to that service.


%d bloggers like this: