The government has warned Android users in India about a malware called Drinik to steal sensitive information by promising to generate income tax refunds. Customers of more than 27 Indian banks have already been targeted with the malware, the Indian Computer Emergency Response Team (CERT-In) wrote in an advisory released online. The nodal agency that deals with cybersecurity threats says that the attackers target victims by sending them a link to a phishing website that looks similar to the Income Tax Department portal. It asks users to download a malicious app that installs the Drinik malware.
The Drinik malware was reportedly used as a primitive SMS stealer back in 2016. CERT-In, though, suggested that it evolved recently as a banking Trojan, targeting Indian customers.
As per the details provided in the advisory by the CERT-In, victims receive an SMS message containing a link to the phishing site. It asks for some personal information and then downloads the app. The malicious Android app acts like a genuine version of the solution created by the Income Tax Department to help generate tax refunds. It requires users to grant permissions to access SMS messages, call logs, and contacts and shows a refund application form that asks for details including full name, PAN, Aadhaar number, address, and date of birth, according to the advisory.
In addition to personal details, the CERT-In says that the app asks for financial details such as account number, IFSC code, CIF number, and even debit card number, expiry date, CVV, and PIN.
The attackers claim that these details will be used to help generate tax refunds sent directly to the account of the user. However, in reality, the agency notes that once the user taps the ‘Transfer’ button on the app, it shows an error and brings a fake update screen. This helps the attacker to run Trojan in the background that shares user details including their SMS messages and call logs.
By using the silently obtained details, the attackers are able to generate a bank-specific mobile banking screen to convince the user to enter their mobile banking credentials. These are later used for conducting financial frauds, the CERT-In said.
The agency advises banking customers to download apps directly from official app stores including Google Play. Users are also recommended to review the app details, number of downloads, user reviews, and comments before downloading an unknown app even from an official source. Additionally, the government body recommends users to not browse untrusted sites or follow untrusted links.