Bank customers, especially in India, are being targeted by a new mobile banking campaign using Drinik Android malware under the pretext of refund from the Income Tax (I-T) department. Drinik, a primitive SMS stealer in 2016, has evolved into a banking trojan now and persuades customers to share sensitive information and credentials of their bank accounts.
According to the Indian Computer Emergency Response Team (CERT-In), customers of more than 27 Indian banks, including major public and private sector banks, have already been targeted by the attackers using this malware.
Bank customers receive SMS containing a link to a phishing website that looks like the I-T portal. Here the customer is asked to share personal information and download and install a mobile app to complete verification. However, this app and the APK file is malicious. It, however, is designed as the I-T app.
After the installation, this app asks the user to grant necessary permissions to access SMS, call logs, and contacts from the mobile device.
Even when the user did not enter any information on the fake I-T website (to download the app and 'complete verification'), a similar screen with the form is displayed in the Android application downloaded. The user is asked to fill in details proceed with verification for a refund.
The user is asked to share data like full name, permanent account number (PAN), Aadhaar number, address, date of birth, mobile number, email address and financial details like bank account number, Indian financial system code (IFSC), customer information file (CIF) number, debit card number, expiry date, card verification value (CVV) and personal identification number (PIN).
Once the user shares this information, the app displays a screen that shows a tax refund for the user, which can be transferred to the user's bank account. When the user enters the refund amount and clicks on the transfer button, the mobile app shows an error to update the app.
While the screen for installing the update is shown, from the backend, the Trojan in the malware sends user details, including SMS and call logs, to the attacker's machine. The attacker then uses these details to generate the bank-specific mobile banking screen and render it on the user's device. The user is then requested to enter the mobile banking credentials that the attacker captures.
"These attack campaigns can effectively jeopardise the privacy and security of sensitive customer data and result in large scale attacks and financial frauds," CERT-In says.
How to Protect Yourself from Drinik Android Malware?
CERT-In had shared some tips and tricks to protect the bank customers from the Drinik Android malware attack.
• Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device's manufacturer or operating system app store.
• Before downloading/installing apps on Android devices (even from Google Play Store):
- Always review the app details, number of downloads, user reviews, comments and "additional information" section.
- Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
- Do not check the "Untrusted Sources" checkbox to install sideloaded apps.
- Install Android updates and patches as and when available from Android device vendors.
• Do not browse untrusted websites or follow untrusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
• Look for suspicious numbers that don't look like real mobile phone numbers.
• Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS received from banks usually contain sender ID (the bank's short name) instead of a phone number in the sender information field.
• Do extensive research before clicking on the link provided in the message.
• Many websites allow anyone to search based on a phone number and see any relatable information about whether a number is legit.
• Only click on URLs that indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate.
• Install and maintain updated antivirus and antispyware software.
• Consider using safe browsing tools, filtering tools like antivirus and content-based filtering, in your antivirus, firewall, and filtering services.
• Exercise caution towards shortened URLs, such as those involving bit.ly and TinyURL. Users are advised to hover their cursors over the shortened URLs (if possible) to see the whole website domain they are visiting or use a URL checker to allow them to enter a short URL and view the full URL.
• Users can also use the shortening service preview feature to see a preview of the full URL.
• Look out for valid encryption certificates by checking for the green lock in the browser's address bar before providing any sensitive information such as personal particulars or account login details.
• Customers should report any unusual activity in their account immediately to the respective bank with the relevant details for taking further appropriate actions.