Science & Technology

New Headache for Online Banking Sector: Drinik Malware for Android

Android users in the country need to be extra careful while installing applications.

Sentinel Digital Desk

NEW DELHI: A new version of the notorious Drinink Malware is back in action and actively stealing banking credentials from infected phones across the country.

Drinik first came into the picture in 2016 when customers of several banks started reporting problems with their accounts. The attack was so severe that the Indian Government was forced to issue a warning to all Android phone users in this regard. The malware was stealing secure information from the phones in the name of generating income tax refunds.

Popular cyber-security and web crime monitor Cyble has reported the resurgence of this malware. It has also mentioned that the new version is targeting customers of 18 Indian financial organisations, including the State Bank of India.

An upgraded version of the same malware was detected targeting android users by sending an APK with an SMS. The app phishes on the Income Tax Department of India's official management tool. Once the user installs the app from the APK, it bypasses the security services provided by Google to detect any suspicious activity. After that, it grants itself permission of reading, send SMSs, read call records and write to the internal and external storage of the phone.

Once the user grants the necessary permissions of Google Accessibly Services, the application starts recording gestures, keystrokes and even navigations performed by the user.

After this, the app also requests permission to use the Accessibility Service with the intention to disable Google Play Protect. Once a user grants permission, the app gets the opportunity to perform certain functions without letting a user know about it. The app is able to perform navigation gestures, record screens, and capture key presses.

The malware not only records the user ids and passwords, but also all user data including details identification cards, AADHAR and PAN. Once these details are entered, the malware leads the user to a phishing page wherein the user is asked to enter his financial details. These include account number, credit card number, CVV, and PIN.

According to Cyble, this app has a code to block incoming calls without the user's knowledge. The APKs themselves "are encrypted to evade detection by antivirus products, and the malware decrypts them during run time using a custom decryption logic," mentioned the report.

Also Watch :