The attackers have already targeted customers of more than 27 Indian banks, including large public and private sector banks, according to the CERT-In.
According to the country’s central cyber security agency, a banking Trojan malware has been discovered in Indian cyberspace that is lurking to attack bank customers using Android phones and has already targeted those from more than 27 public and private sector banks.
The phishing malware poses with the subject “income tax refund” and can “effectively jeopardise the privacy of sensitive customer data and result in large-scale attacks and financial frauds”, according to a CERT-In advisory released on Tuesday.
The CERT-In advisory said “It has been observed that Indian banking customers are being targeted by a new type of mobile banking campaign using Drinik android malware,”
“Drinik started as a primitive SMS stealer back in year 2016 and has evolved recently to a banking Trojan that demonstrates phishing screen and persuades users to enter sensitive banking information,”
The attackers have already targeted customers of more than 27 Indian banks, including large public and private sector banks, according to the CERT-In.
The Indian Computer Emergency Response Team, or CERT-In, is the government’s technical arm for combating cyber attacks and protecting the cyber space from phishing, hacking, and other online threats.
The attack process is described in the advisory.
According to the CERT-In, the victim receives an SMS with a link to a phishing website which is identical to the Income Tax Department asking them to enter personal information and download and install the malicious APK file in order to complete verification.
“This malicious android app masquerades as the Income Tax Department app and after installation, the app asks the user to grant necessary permissions like SMS, call logs, contacts etc.”
“If the user does not enter any information on the website, the same screen with the form is displayed in the android application and the user is asked to fill in to proceed,” it said.
Full name, PAN, Aadhaar number, address, date of birth, mobile number, email address, and financial details such as account number, IFS code, CIF number, debit card number, expiry date, CVV, and PIN are among the information to be entered.
The application states that there is a refund sum that could be transferred to the user’s bank account once these details are submitted by the user, it said.
The application displays an error and a bogus update screen when the user enters the amount and clicks “Transfer”
“While the screen for installing update is shown, Trojan in the backend sends the user’s details including SMS and call logs to the attacker’s machine,” it said.
“These details are then used by the attacker to generate the bank specific mobile banking screen and render it on user’s machine. The user is then requested to enter the mobile banking credentials which are captured by the attacker,” it said.
To protect against such attacks and malware, the advisory recommends taking steps such as downloading apps from official app stores, installing appropriate Android updates and patches as soon as they become available, using safe browsing tools, conducting extensive research before clicking on any links provided in the message, and checking for valid encryption certificates by looking for the green lock in the browser’s address bar.
It further instructed customers to immediately notify their bank of any unusual activity in their accounts and also to send the complaint to CERT-In at incident@cert-in.org.in.

