The government of India has warned Android users in India about the malware called Drinik, which is stealing sensitive information by promising to generate income tax refunds. The malware has already targeted customers across over 27 Indian banks, as per an advisory released online by the Indian Computer Emergency Response Team (CERT-In).
Drinik was first used 5 years ago to steal SMS. Now it has evolved into a banking malware with a good phishing capacity to persuade users to enter sensitive banking information.
According to the nodal agency that deals with cybersecurity threats, the attackers target victims by sending them a link to a phishing website that looks similar to the Income Tax Department portal. It first asks users to download a malicious app, which installs the Drinik malware. Once the malware is installed, the users unknowingly grant permissions to access SMS messages, call logs, contacts, and a refund request form asking personal details like date of birth, PAN, Aadhaar number, address, etc.
In addition to personal information, users will be asked to share bank account number, IFSC code, CIF number and even debit card number, expiry date, CVV and pin, stated CERT-In.
As per the attackers, these details will be used to generate tax refunds that will directly be credited to the account of the user. In reality, the agency stated that once the user clicks on the ‘Transfer’ option on the app, it shows an error and brings a fake update screen, which helps the attacker to run a Trojan in the background that shares user details, including their SMS messages and call logs.
The attackers can generate a bank-specific mobile banking screen to convince the user to enter their mobile banking credentials by using the stolen details. They later use it for conducting financial frauds, said CERT-In.
The agency advised through the GOI to download apps directly from official app stores. It also suggested reviewing the app details, number of downloads, user reviews and comments before downloading an unknown app even if it’s from an official source. Lastly, it recommended users not browse untrusted sites or follow suspicious links.