The government has issued a warning for Android users in India about malware that is capable of stealing sensitive information by promising to generate income tax refunds. This malware called Drinik has already targeted customers of more than 27 Indian banks.
This information was released in an online advisory by the Indian Computer Emergency Response Team (CERT-In). The nodal agency that deals with cybersecurity threats said that the attackers target victims by sending them a link to a phishing website that looks similar to the Income Tax Department portal. It asks users to download an app and that’s how the Drinik Android malware gets into your system.
Installation of Drinik malware into your Android device
The victim receives an SMS containing a link to a phishing website (similar to the website of Income Tax Department, Govt. of India), where he is asked to enter personal information and download and install the malicious APK file in order to complete verification.
This Android app has the exact interface of the Income Tax Department app, so most people can easily be trapped since it looks genuine.
After the installation, the app asks the user to grant necessary permissions like SMS messages, call logs, and contacts and shows a refund application form that asks for details including full name, PAN, Aadhaar number, address, and date of birth, according to the advisory.
So if the user does not enter any required bank details on the website, the same screen with the form is displayed in the Android application and the user is asked to fill in to proceed.
Once inside the system, how this Drinik malware will eat your data?
Firstly, to initiate any refund process, it will ask you to fill in all your financial details. The data include full name, PAN, Aadhaar number, address, date of birth, mobile number, email address, and other financial details like account number, IFSC code, CIF number, debit card number, expiry date, CVV, and PIN.
The attackers claim that the app asks users to fill them as these details will be used to help generate tax refunds sent directly to the account of the user.
However, in reality, the agency notes that once the user taps the ‘Transfer' button on the app, it shows an error and brings a fake update screen. While the screen for installing updates is shown, Trojan in the backend sends the user's details including SMS and call logs to the attacker's machine.
By using the silently obtained details, the attackers are able to generate a bank-specific mobile banking screen to convince the user to enter their mobile banking credentials. These are later used for conducting financial frauds, the CERT-In said.
The user is then requested to enter the mobile banking credentials which are captured by the attacker. These attacks are likely to jeopardize the privacy and security of sensitive data ultimately resulting in large-scale attacks and financial frauds.
2016 Version of Drinik Android malware
Claimed to be done using Drinik malware, the earlier version of this malware came in 2016 as a primitive SMS stealer. It has recently evolved into a banking Trojan demonstrating a phishing screen targeting Indian customers to enter sensitive banking information.
How to protect your devices from such malware?
Here’s how you can prevent getting such malware attacks on your Android device and protect your precious data:
- CERT-In recommends limiting your download sources to official app stores, such as your device's manufacturer or operating system app store like Google Play reduces the risk.
- Users are also recommended to review the app details, the number of downloads, user reviews, and comments before downloading an unknown app even from an official source. Additionally, the government body recommends users not browse untrusted sites or follow untrusted links.
- Verify app permissions and grant only those permissions which have relevant context for the app's purpose. Do not check the "Untrusted Sources" checkbox to install side-loaded apps.
- Do not browse untrusted websites or follow untrusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
- Look for suspicious numbers that don't look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number.
- Exercise caution towards shortened URLs, such as those involving bit.ly and TinyURL.
- Always note that any legitimate government website will use '.gov.in' in the link.