Drinik started as a primitive SMS stealer back in year 2016 and has evolved recently to a banking
trojan that demonstrates phishing screen and persuades users to enter sensitive banking information.
Customers of more than 27 Indian banks including major public and private sector banks have already
been targeted by the attackers using this malware.
The victim receives an SMS containing a link to a phishing website (similar to the website of Income
Tax Department, Govt. of India) where he is asked to enter personal information and download and
install the malicious APK file in order to complete verification. This malicious android app
masquerades as the Income Tax Department app. After the installation, the app asks the user to grant
necessary permissions like SMS, call logs, contacts etc. If the user does not enter any information on
the website, the same screen with the form is displayed in the android application and the user is
asked to fill in to proceed. The data include full name, PAN, Aadhaar number, address, date of birth,
mobile number, email address and financial details like account number, IFS code, CIF number, debit
card number, expiry date, CVV and PIN.
After these details are entered by the user, the application states that there is a refund amount
that could be transferred to the user's bank account. When the user enters the amount and clicks
"Transfer", the application shows an error and demonstrates a fake update screen. While the screen for
installing update is shown, Trojan in the backend sends the user's details including SMS and call logs
to the attacker's machine. These details are then used by the attacker to generate the bank specific
mobile banking screen and render it on user's device. The user is then requested to enter the mobile
banking credentials which are captured by the attacker.
These attack campaigns can effectively jeopardize the privacy and security of sensitive customer
data and result in large scale attacks and financial frauds.
Indicators of compromise (IOCs)
File Hashes :