Malware name: DRINIK
Type: Trojan malware
File type: .apk
DRINIK is an android malware that is a Trojan Virus as it pretends to be an Income tax refund application and instead steals the banking information of the user. DRINIK uses phishing techniques to attack user and persuade them to enter sensitive banking information.
How does DRINIK steal information?
- The user will receive an SMS which contains the malicious link, the message informs the victim about their income tax refund.
- When the user clicks on the link, it asks them to enter some personal information and install an APK file which actually in the malware. Once the user installs it, the Trojan is now in our android and the user can’t tell much difference in the interface of the DRINIK app and a genuine Income tax application.
- Once installed the application asks permissions like SMS, Contacts, Call logs etc. If the user has not given any information on the website, the Trojan again asks the same details once the user has installed the application to further proceed using it.
- The personal details that are asked by the users include full name, Aadhaar number, PAN, address, mobile number, date of birth, email address.
- The financial details that re asked by the user includes account number, CIF number, IFS code, card number, date of expiry, CVV and finally the PIN gives the attacker whole access to the user’s account.
- Then the malware asks the user to refund the amount of money to their accounts. The moment the user enter the amount and hit ‘transfer’, it shows a fake screen and tell about some update
Indicators of compromise:
- Hashes of the file:
- C2 servers:
IP ADDRESS SCANS:
188.8.131.52 and 184.108.40.206 totally unresponsive to ping and all ports filtered.
220.127.116.11 responsive, the hosts are up and running on this IP with port 22/tcp open
How to avoid DRINIK malware?
- It is always advised to file income tax return using the official website of government of India https://www.incometax.gov.in/iec/foportal
- Hyperlinks send through messages should never be opened, instead we should always know the official websites before we login or put any information in some random website.
- We should never install any application from the web instead try searching for the application on Google Play store or App Store to avoid installing any malware.
- None of the income tax websites ever asks for your PIN number, so see the details carefully what is asked and if found suspicious then don’t continue on the website or application.