caalley logo

The alley for Indian Chartered Accountants

SBI red-flags fake Income Tax app stealing taxpayer info. Follow these steps to stay safe

Nov 5, 2022

SBI alerted its users that Drinik malware is one such malware targeting Indian taxpayers to steal Personally Indentifiable Information (PII) and banking credentials through phishing attacks.

State Bank of India (SBI) informed sensitised its social media followers about the ills of downloading software or apps from untrusted sources. One major hazard of downloading dubious apps from unofficial sources is that the user may inadvertently download dangerous malware capable of causing serious financial harm to the target.

SBI alerted its users that Drinik malware is one such malware targeting Indian taxpayers to steal Personally Indentifiable Information (PII) and banking credentials through phishing attacks.

SBI is not alone in warning its customers of the risks of mistakenly downloading the dangerous Drinik malware. Earlier Punjab National Bank in a report citing analysts said the malware has evolved into an Android Trojan that can steal important personal details and banking credentials. It was operated as an SMS stealer, but has now added banking Trojan features. In the new form, it is capable of screen recording, keylogging, abusing Accessibility services, and performing overlay attacks.

An advanced version of the Drinik malware has affected over 18 Indian banks.

Over the years, the Drinik malware has undergone various changes and just last year, the CERT-In (Indian Computer Emergency Response Team) issued an advisory about this virus that affected users of 27 banks. Since then, the Drinik malware has received some modifications that allow it to record your screen and log keystrokes.

The updated version of the malware, disguised as a website tool of the Income Tax Department iAssist,tricks the victim into granting unlimited access and steals precious information.
How Drinik malware steals your financial information

Drinik malware comes disguised as an APK file named iAssist. The Android Package with the file extension apk is the file format used by the Android operating system, and a number of other Android-based operating systems for distribution and installation of mobile apps, mobile games and middleware. The iAssist is the official tax management tool of the Income Tax department in India.

Once installed, Drinik malware will ask for permission to read, receive and send SMS in addition to reading the user’s call log. It also requests permission to read and write to external storage. Similar to other banking Trojans, Drinik relies on Accessibility Service. Since most apps require this functionality, many users do not pay heed while clicking on ‘grant access’ button. This should not taken lightly.

The malware then disables Google Play Protect and starts executing auto-gestures and capturing key presses.

Next, it loads the genuine Indian income tax site, instead of displaying fake phishing pages. Before showing the login page to the victim, the malware will display an authentication screen for biometric verification.

When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes. The stolen details are then sent to the C&C server.

What is worrisome is that in the latest version of Drinik, the TA only targets victims with legitimate income tax site accounts. Once the victim logs into the account successfully, it shows a fake dialogue box on the screen mentioning the below message: Our database indicates that you are eligible for an instant tax refund of ₹57,100 – from your previous tax miscalculations till date.

Click Apply to apply for instant refund and receive your refund in your registered bank account in minutes. It is here when the user is redirected to a phishing website when he clicks on the Apply button. The malware now prompts the victim to submit personal details such as full name, Aadhar number, PAN number, and other details along with financial information, which includes Account number, Credit card number, CVV, and PIN. The stolen data is again sent to the C&C servers.

[Times Now]

Read more on:
Don't miss an update!
Subscribe to our newsletter