It has been observed that Indian banking customers are being targeted by a new type of mobile banking campaign using Drinik Android malware. Drinik started as a primitive SMS stealer back in year 2016 and has evolved recently to a banking Trojan that demonstrate phishing screen and persuade user to enter sensitive banking information. Customers of more than 27 Indian banks including major public and private sector banks have already been targeted by the attackers using this malware.

Attack vector

The victim receives an SMS containing a link to a phishing website (similar to the website of income tax department, Government of India) where he is asked to enter personal information and download and install the malicious apk file in order to complete verification. The malicious Android app masquerades as the income tax department app. After the installation, the app asks the user to grant necessary permissions like SMS, call logs, contacts etc. If the user does not enter any information on the website, the same screen with the form is displayed on the Android application and the user asked to fill in to proceed. The data include full name, PAN, Aadhar number, address, date of birth, mobile number, email address and financial details like account number, IFS code, CIF number, debit card number, expiry date, CVV and PIN.

After these details are entered by the user, the application states that there is a refund amount that could be transferred to user's bank account. When the user enters the amount and clicks transfer, the application shows an error and demonstrates a fake update screen. While the screen for installing update is shown, Trojan in the back end sent the users detail including SMS and call logs to the attacker's machine. These details are then used by the attackers to generate the bank specific mobile banking screen and render it on the user's device. The user is then requested to enter the mobile banking credentials which are captured by the attacker. These attack campaigns are effectively jeopardize the privacy and security of sensitive customer data and result in large scale attack and financial frauds.

Some of the screen shots shared by the Cert-In are

Source and more details at Cert-In website