Cyble-Drinik-Android

Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers

Android Banking Trojan Stealing User’s Data Via Screen Recording and Keylogging

In September 2021, the Indian Computer Emergency Response Team (CERT-In) issued a warning about a new malware strain targeting Indian taxpayers and mentioned that customers of around 27 banks were at risk of this attack.

The Threat Actors (TA) behind this campaign were suspected of using Drinik malware. An early variant of Drinik malware was first spotted in 2016 as an SMS stealer. Around August 2021, the malware was observed to be active again, this time evolving into an Android banking trojan.

Cyble Research & Intelligence Labs (CRIL) has constantly been monitoring the different variants of Drinik Android malware. In September 2021, CRIL released a blog on a masquerading income tax application that targeted Indian taxpayers to steal Personally Identifiable Information (PII) and banking credentials through phishing attacks.

Recently, CRIL identified an upgraded version of Drinik impersonating the Income Tax Department of India and targeting 18 Indian banks (bank names are explicitly mentioned in the malicious APK file).

The TA uses the same campaign theme to lure the victim, but the malware has been upgraded with advanced capabilities. We have listed the main features implemented in the new variant, making the malware an advanced threat:

  • Screen Recording to harvest credentials
  • Keylogging
  • Abusing CallScreeningService to manage incoming calls
  • Receiving commands via FirebaseCloudMessaging

The malware variant is communicating with Command & Control (C&C) server hxxp://gia[.]3utilities.com, which is hosted on IP 198[.]12.107[.]13. Our investigation confirmed that the previous campaign also used the same IP for its C&C communication, indicating that the Threat Actor (TA) behind both campaigns is the same.

The below figure shows the details of the C&C IP address and its connection with the previous campaign.

Figure 1 – IP address of C&C server associated with old Drinik variant

Evolution of Drinik:

CRIL observed 3 different variants of this malware since last year. The first variant was observed in September 2021, when the malware used phishing pages to steal credentials. In 2022, two new variants have been identified in the wild, introducing Screen Recording and Keylogging features.

The figure below shows the timeline of Drinik malware and its features.

Figure 2 – Evolution of Drinik Banking Trojan

During our investigation, we found that the first version uses a simple phishing page to steal banking credentials, whereas the second version uses screen recording alongside the phishing technique.

Finally, the third and latest version loads the genuine income tax department site and uses screen recording along with a keylogging functionality to steal the login credentials. The below figure shows the login page of three different versions.

Figure 3 – Login pages of Drinik malware versions

In this analysis, we take a look at the latest sample “iAssist.apk (86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523)” of Drinik malware observed on October 18, 2022, which has additional code for abusing the CallScreeningService.

By abusing this service, the malware can disallow incoming calls without the user’s knowledge. Additionally, the strings present in the file are encrypted to evade detection by antivirus products, and the malware decrypts them during run time using a custom decryption logic. The figure below shows the code snippet used by the malware to decrypt the encrypted strings.

Figure 4 – Code to decrypt strings

Technical Analysis

APK Metadata Information  

 

   

The metadata information of the application is shown below.

Figure 5 – App Metadata Information 

Manifest Description 

The harmful permissions requested by the malware are:  

Permission  Description 
RECEIVE_SMSAllows an application to receive SMS messages
READ_SMSAccess phone messages
SEND_SMSAllows the application to send SMS messages
READ_CALL_LOGAllows an app to read the user’s call log
READ_EXTERNAL_STORAGEAllows an application to read from external storage.
WRITE_EXTERNAL_STORAGEAllows an application to write to external storage.

Source Code Review  

Like many other banking trojans, the new variant of Drinik relies on the Accessibility Service. After launching, the malware prompts the victim to grant permissions, followed by a request to enable Accessibility Service.

It then starts abusing the service to obtain the necessary permissions to start screen recording, disable Google Play Protect, execute auto-gestures, and capture key logs.

Figure 6 – Malware prompting users to grant Accessibility Service permissions

The latest Drinik variant loads the genuine Indian income tax site hxxps://eportal[.]incometax.gov.in using WebView instead of displaying fake phishing pages.

Figure 7 – Malware loading genuine Indian income tax portal using Webview

Before showing the login page to the victim, the malware displays an authentication screen for biometric verification. When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes.

The malware now sends the stolen details to the C&C server, as shown below.

Figure 8 – Malware sending Biometric PIN to C&C Server

After authentication, the malware displays the genuine site loaded into a Webview. Drinik starts screen recording as soon as the victim enters the User ID (such as PAN/AADHAR/Other valid user ID) and sends the recording to the C&C server.

In the latest version of Drinik, the TA only targets victims with legitimate income tax site accounts.

Figure 9 – Malware loading genuine income tax site

Once the victim logs in to the genuine site, the malware executes the onPageFinished() method, which further checks the loaded URL

to validate the login status.

The malware then checks if the loaded URL is any of the following and confirms the user’s successful login.

  • hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard   
  • hxxps://eportal.incometax[.]gov.in/iec/foservices/#/login  
Figure 10 – Malware executing onPageFinished()

If the onPageFinished() method receives a URL hxxps://eportal.incometax[.]gov.in/iec/foservices/#/login, this indicates that the login has failed.

The malware can also save the login state and retrieves them using the getLogingStat command, which can identify whether the victim is new or has already logged in.

If the victim is new, the malware shows a message “To use this functionality, you are required to log in first!” and prompts them to log in. Otherwise, the malware will initiate the phishing activity, considering the user logged in successfully. The below figure shows the code snippet to receive the login status.

Figure 11 – Receiving login status

After successful login, the genuine site redirects to the dashboard URL “hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard”. The malware now checks whether this URL is in the onPageFinished() method and displays a fake dialogue box mentioning the below message:

Our database indicates that you are eligible for an instant tax refund of Rs.57,100.\– from your previous tax miscalculations till date. Click Apply to apply for instant refund and receive your refund in your registered bank account in minutes.

Figure 12 – Malware displaying dialogue box after successful login

When the victim clicks the “Apply” button, the malware opens the phishing URL hxxp://gia.3utilities[.]com/Refund/redir.php?i=RefundApproved&source=App&uid= as shown in the below figure.

Figure 13 – Malware loading phishing URL

The phishing URL redirects to: hxxp://192.227.196[.]185/1305275237/uv4h.php?action=Refund_Approved&id=YWI1MzYxY0A3OTEyNDA0MzY2NTMuY29t&owner=QWRtaW4%3D&source=App&uid= site which impersonates the genuine Income Tax Department of India to lure victims into submitting sensitive data.

Figure 14 – Phishing refund page

After clicking on the “Proceed to the verification steps” button, the malware prompts the victim to submit personal details such as full name, Aadhar number, PAN number, and other details along with financial information, which includes Account number, Credit card number, CVV, and PIN.

This stolen data is further sent to the C&C server and can be used by the TA to perform fraudulent transactions.

Figure 15 – Phishing site asking for personal details

Figure 16 – Phishing site asking for financial information

After submitting details, the malware displays the confirmation page with all the details entered by the victim. Further, it prompts the victim to verify ITR (Income Tax Returns) details using net banking credentials.

Figure 17 – Confirmation details page

Figure 18 – Phishing site prompting net banking credentials for verification

Alongside stealing credentials via screen recording and phishing pages, we also observed the malware targeting Indian banks by abusing the Accessibility Service.

Whenever any event triggers the Accessibility Service, the malware checks the source of the event with the bank keywords stored in a shared preference key “newCLICKJACK”. If the keyword matches, the malware collects the keylogging data, which could contain banking credentials.

Figure 19 – Targeting Indian banks with a keylogging feature

The malware has registered a CallScreeningService in the manifest file. Default dialers or third-party apps use the CallScreeningService to allow or disallow incoming calls before displaying them to users.

Drinik malware abuses this service to disallow incoming calls, likely to prevent the interruption of any ongoing malicious activities, and sends the incoming call status to the C&C server.

Figure 20 – Malware abusing CallScreeningService to disallow incoming calls

The malware receives the command via FirebaseCloudMessaging (FCM) and saves them to the variable “processCMD”.

The malware further executes the respective malicious task based on the commands received from FCM to perform other malicious activities on an infected device. Some of the commands received via FCM are:

CommandDescription
VERIFYMOBILEVerify the device registration status
OPENAPPCOMPONENTStarts the app component activity received from the server
GETAUTOCMDSends AutoCMD value from shared preference file to the C&C server
DISABLE_ICONHides the icon
KILLSOUNDSilent audio for calls and notifications
CHECKOVERLAYSends the overlay status
DEFOREGROUNDIFYStops foreground service

Conclusion 

Some well-known Android banking trojans such as Hydra, BRATA, Anubis, and several others heavily rely on the Accessibility Service and have developed advanced features by successfully abusing this service.

CRIL observed that Drinik malware is also similarly evolving into an advanced threat by implementing powerful features that we have observed in other banking trojans.

Our analysis indicates that the TA behind Drinik is constantly working on updating their malware with new and advanced features. The TA had initially started developing malware by implementing sophisticated phishing pages for credential harvesting. However, our observations show that they have enhanced their framework with advanced features such as screen recording and keylogging to steal credentials of genuine income tax sites, banking credentials, and biometric details as well.

The malware is still developing, and we may observe a new variant of Drinik malware with new targets and techniques to target their victims.

Our Recommendations 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device to avoid unauthorized access obtained using malicious activities such as keylogging and screen recording.
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PC, laptops, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

    MITRE ATT&CK® Techniques

     

    TacticTechnique IDTechnique Name
    Initial AccessT1476Deliver Malicious App via Other Means.
    Initial AccessT1444Masquerade as a Legitimate Application
    Defense EvasionT1418Application discovery
    DiscoveryT1426System Information Discovery
    ImpactT1616Call Control
    CollectionT1513Screen Capture
    PersistenceT1402Broadcast Receivers
    CollectionT1412Capture SMS Messages
    Credential AccessT1411Input Prompt
    ExfiltrationT1567Exfiltration Over Web Service

    Indicators of Compromise (IOCs) 

    IndicatorsIndicator TypeDescription
    86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523SHA256Hash of the analyzed APK file
    ba2fb55bb89c98aec3a2130b22584d8c299451baSHA1Hash of the analyzed APK file 
    0c6257e385f33e46c1839f59bc4b53d7MD5Hash of the analyzed APK file
    hxxp://gia.3utilities[.]comURLC&C URL
    hxxp://192[.]227.196.185URLMalicious IP hosting fake ITR site
    198[.]12.107[.]13IPIP hosting C&C server
    Scroll to Top