Indian Taxpayers Face A Multifaceted Threat With Drinik Malware’s Return – Cyble

Key Takeaways

  • Drinik malware displayed heightened activity levels strategically aligning with the Indian income tax return filing period.
  • The latest iteration of Drinik malware boasts a range of newly added functionalities.
  • Drinik malware broadened its scope by including UPI (Unified Payments Interface) applications as part of its target list.
  • The malware takes proactive measures to thwart victims’ attempts to initiate a factory reset on their compromised devices.
  • A notable addition is the “Blast SMS” feature, enabling the malware to send bulk SMS messages directly from infected devices.
  • The primary method for harvesting net banking credentials involves a combination of keylogging and screen recording techniques.

Overview

The Drinik malware campaign has been in operation since 2020 and is particularly focused on Indian income tax users. Over time, this malicious campaign has shown adaptability by incorporating new techniques into its malware. Initially, the malware relied on phishing methods to compromise its victims. However, in subsequent versions, it has evolved to exploit the Accessibility Service on Android devices, allowing it to carry out its malicious activities more effectively.

Cyble Research and Intelligence Labs (CRIL) has consistently been monitoring the activities of Drinik malware. In October 2022, we discovered an advanced variant of Drinik malware. This variant was notable for its use of screen recording and keylogging as primary techniques to steal login credentials, with a specific focus on individuals filing income tax returns in India.

Drinik malware has maintained its activity throughout the year. However, around June 2023, coinciding with the commencement of income tax return filing by Indian taxpayers, Threat Actors (TA) ramped up their efforts in distributing the Drinik malware. The predominant method for distributing this malware involves smishing techniques.

Numerous income tax users have reported receiving phishing messages that include links redirecting them to URLs for malware distribution.

Below, we have an illustration of a phishing SMS shared by a Twitter user.

Figure 1 – Income Tax phishing message
Figure 1 – Income Tax phishing message

After clicking the URL hxxp://107.174.45[.]116/ip2/?ITR provided in the phishing message it redirects users to another URL, hxxp://78.110.116[.]82/~serverxp/R7UWUA/?itrMobile.

This new URL displays a counterfeit website impersonating the Income Tax Department of India. On this fake website, users are prompted to download an APK file, supposedly to initiate a tax refund process.

Figure 2 – Phishing ITR page
Figure 2 – Phishing ITR page

Upon clicking the “Download itrMobile Now” link, users are redirected to a different URL, specifically hxxp://198.46.177[.]159/VDAJ/index.php?dir=../apk/9dg. This URL triggers the download of a malicious APK file named “itrMobile.apk (ad1ff9a584cd143eb1c950692fd0b3223c7f285f09c33cf9a6cd9591c45fd489)”. Upon analyzing this malicious application, we observed that the TA had introduced new functionalities into Drinik malware.

Here, we want to highlight that this variant of the Drinik malware was also identified by malwrhunterteam on August 30, 2023.

The latest variant of Drinik malware has added below functionalities:

  1. Targeting UPI applications (GooglePay, PhonePe and Paytm)
  2. Sending SMSs from the infected device
  3. Code to target Android 13 (Guiding victims on how to allow restricted settings)
  4. Preventing Factory Reset
  5. Uninstalling the True Caller application
  6. Stealing Camera Pictures
  7. Modifying Clipboard content
  8. Targetting specific banking and UPI application components

For an in-depth analysis of Drinik malware, please refer to our previous blog post. In this article, our primary focus is to illustrate the newly added features of the Drinik malware, which can be found in the technical analysis section.

Technical Analysis

APK Metadata Information

  • App Name: itrMobile
  • Package Name: com.avu.itrMobile
  • SHA256 Hash: ad1ff9a584cd143eb1c950692fd0b3223c7f285f09c33cf9a6cd9591c45fd489
Figure 3 – Application metadata information
Figure 3 – Application metadata information

Similar to the previous variant, Drinik malware requests necessary permissions from the victim, including permission to access the Accessibility Service. Once the victim grants permission and enables the Accessibility Service, the malware exploits it to monitor the victim’s actions and makes efforts to prevent any attempts to uninstall it.

Figure 4 – Malware prompts the victim to grant permissions and enable the Accessibility service
Figure 4 – Malware prompts the victim to grant permissions and enable the Accessibility service

In the background, the malware starts communicating with the Command and Control (C&C) server “hxxp://hc[.]bounceme.net/iaserver.php” and sends the command name executed by the malware, as shown in the figure below.

Figure 5 – CC communication
Figure 5 – C&C communication

Downloading payload

CRIL observed intriguing behavior involving this variant of Drinik malware that establishes a connection to the URL hxxp://192.3.124[.]14/us/Child[.]apk and proceeds to download an APK file. This malware then saves the downloaded APK at the following location: “/storage/emulated/0/Android/data/com.avu.itrMobile/files/apks/AApk.apk”.

It is then discreetly installed on the compromised device. However, upon comparing the source code, we noticed that the downloaded APK file closely resembles the parent APK but notably lacks any visible user interface activity and connects to a different C&C server. It is currently unclear why the APK file “AApk.apk” was downloaded, especially since it contains the same source code as the parent file.

Figure 6 – The shared preference file contains a download link
Figure 6 – The shared preference file contains a download link

Prompting to enable “Restricted Setting”

Since the introduction of the “Restricted Setting” feature in Android 13, it has become challenging for sideloaded applications to access certain device settings. In this particular variant, the Drinik malware has incorporated code to display a dialogue box that guides the victim on how to enable the “Restricted Setting.” The code snippet provided below demonstrates how the malware checks the Android version and then prompts the user with the “Restricted Setting” dialogue box mentioning the below message.

“<p>Android has restricted some important components required by this app. To continue enable “<b>Restricted Settings</b>”.</p> <p>1. Click ‘app info’ below .</p>2. Tap on 3 dots(top right corner of page).<p>3. Choose and enable ‘allow restricted settings’.</p>”

It’s important to note that the malware isn’t directly bypassing the restrictions but rather informing and guiding users on how to grant access to the “Restricted Setting” feature, thereby increasing the likelihood of gaining access to restricted device settings.

Figure 7 – Malware prompting to enable Restricted Setting
Figure 7 – Malware prompting to enable Restricted Setting

Stealing Net Banking Credentials

As explained in our previous blog post, the malware typically loads the authentic Income Tax Department website within a WebView. However, in this particular variant, the malware introduces a dialogue box after loading the Income Tax Department site. This dialogue box encourages the victim to log in to the portal using net banking. However, the victim has the option to select their preferred login method.

Figure 8 – Login activity of Drinik malware
Figure 8 – Login activity of Drinik malware

If the victim opts for “CONTINUE WITH PAN,” the malware proceeds with a process similar to the previous variant. However, when the victim selects “LOGIN WITH NETBANKING,” the malware redirects the user to the authentic Income Tax Department website for net banking login at https://eportal.incometax.gov.in/iec/foservices/#/login/netBanking. This webpage enables users to login using their respective net banking accounts.

Figure 9 – Income Tax Department net banking login process
Figure 9 – Income Tax Department net banking login process

When the victim accesses net banking webpages for login, Drinik initiates screen recording and keylogging to obtain net banking credentials illicitly. Encouraging victims to log in using net banking enhances the likelihood of swiftly stealing credentials. This marks a departure from the previous version, which involved a lengthy phishing process requiring victims to input numerous details into phishing pages. The phishing process used in the previous variant could raise suspicion and prompt victims to cease using the malicious application.

The figure below shows the screen recording activity upon visiting the net banking webpage.

Figure 10 – Starts screen recording
Figure 10 – Starts screen recording

The recorded content and stolen netbanking credentials, along with their accessibility node information sent to the C&C server using the parameter “LocalCapture” and command “LocksAndIntercepts”, as shown in Figures 9 and 10.

Figure 11 – Sending recorded screen content
Figure 11 – Sending recorded screen content
Figure 12 – Stealing net banking credentials using keylogging
Figure 12 – Stealing net banking credentials using keylogging

Targeting UPI Applications

In the previous iteration of the Drinik malware, it was observed targeting 18 Indian banks. However, in its latest version, it has expanded its scope to include UPI (Unified Payments Interface) applications among its targets. These UPI applications encompass popular platforms such as Google Pay, PhonePe, and Paytm. UPI apps provide users with a convenient means of instant money transfer, enabling them to send money to various bank accounts through a single mobile application.

Drinik malware examines the package names of installed UPI applications. Upon identifying one of these UPI applications, the malware utilizes a process command called “INSERTSMS_AND_PERMISSION” to insert a counterfeit SMS into the compromised device. The SMS contains the following content:

“TX-PHONPE:::Deposit of Rs.35,670 to your account has been reversed as your bank server did not respond on time. Kindly open Phonepe app and check your account balance for verification. Contact support immediately if your account Balance is not proper.”

Figure 13 – Fake UPI SMS inserted into the inbox of an infected device
Figure 13 – Fake UPI SMS inserted into the inbox of an infected device

Analyzing the content of the SMS, we suspect that the TA has inserted this message with the intention of prompting the victim to open a UPI application and verify the available balance in their bank account. Additionally, the malware is equipped with screen recording and keylogging capabilities, enabling it to capture the victim’s UPI PIN for the targeted UPI application.

The figure below shows the inserted SMS in the inbox of an infected device. These SMS messages seem to originate from genuine UPI applications, enticing the victim to view the messages and open the respective application:

Figure 14 – Fake UPI SMS
Figure 14 – Fake UPI SMS example

Sending SMSs

In the most recent version of the Drinik malware, TA has introduced a new feature known as the “Blast SMS” sequence. It’s important to note that TA uses the term “sequence” for various feature execution flows, such as the Blast Contact sequence, APK installation sequence, and Permission sequence.

With the Blast SMS sequence, the malware sends SMS messages from the infected device to numbers provided by the server. The TA may have adopted this approach as a means to disseminate the Drinik malware to a broader range of targets. The figure below depicts the Blast SMS activity.

Figure 15 – Blast SMS Activity
Figure 15  – Blast SMS Activity

Furthermore, the malware maintains a record of sent SMS messages through several log files, including “BlastReport.txt,” “BlastSentList.txt,” and “BlastFailList.txt.” The Drinik malware actively monitors the series of unsuccessful SMS transmissions from both SIM 1 and SIM 2 and in the event of consecutive failures, it suspends the SMS blast sequence.

Figure 16 – Suspends Blast SMS sequence
Figure 16 – Suspends Blast SMS sequence

Much like the Blast SMS feature, the malware has also introduced a Blast Contact Sequence. In the initial phase, before accessing the legitimate Income Tax Department site, the malware transmits the device’s contact list to the server using the “UploadContactList” command. In return, it receives three parameters, the “uploadResult”, “contactBlast”, and “contactsBlastSms”.

The figure below illustrates the response received after the malware sends the contact list.

Figure 17 – Malware sends contact list and receives parameters in response
Figure 17 – Malware sends contact list and receives parameters in response

During the dynamic analysis, no specific values were observed accompanying these parameters. However, based on the code analysis, it is evident that the malware utilizes these parameters to send SMS messages to the infected device’s contact list received from the server.

Figure 18 – Blast Contact Sequence
Figure 18 – Blast Contact Sequence

Preventing Factory Reset

Last year, Trend Micro also conducted an analysis of Drinik, also known as Elibomi malware. In their analysis, they identified that the malware could automatically click on notifications or dialogue boxes related to payment risks. In addition to this existing functionality, the latest variant introduced two new features.

The malware utilizes a “watch” keyword to store the status of these features in the shared preference file. For instance, it uses terms like “factoryResetWatch” to save the status of factory reset. Hence, we are referring to these features as the “watch” module. These modules have been incorporated into the malware to automate the process of interacting with the active window opened in the infected device that is related to uninstallation or could potentially obstruct the malware’s execution.

Below is a full list of these watch modules, with the new ones highlighted in bold:

  • BatteryDrainWatch
  • UninstallWatch2
  • VirusDefenceWatch
  • UninstallWatch
  • factoryResetWatch
  • deviceManagerWatch
  • PlayProtectWatch

In this particular version, Drinik actively observes the actions of the victim. If it detects that the victim is attempting to perform a factory reset of the device in order to remove the malware or stop infection, Drinik prevents the victim from executing the factory reset by performing back action.

Figure 19 – Preventing Factory Reset
Figure 19 – Preventing Factory Reset

Similarly, the malware actively observes whether the victim is engaging with the iManager application, which is a default application provided by ViVo. iManager offers an application scan feature designed to identify malware and vulnerable applications. Whenever Drinik detects that the victim is using this application, it initiates a back action to avoid getting detected.

Figure 20 – Prevents opening iManager application
Figure 20 – Prevents opening iManager application

Uninstalling the True Caller Application

As a component of its SMS sequence, the malware checks for the presence of the True Caller application on the compromised device, in addition to checking the status of BlockSMS stored in the shared preference file. Subsequently, it takes action to uninstall True Caller. This application is highly favored by more than 240 million users in India due to its caller identification and diverse functionalities. The malware’s objective in removing this app from the victim’s device is to obscure its nefarious activities, including the mass distribution of SMS messages and manipulation of incoming calls.

Figure 21 – Uninstalling Truecaller application
Figure 21 – Uninstalling Truecaller application

Stealing Camera Pictures

In this particular version, Drinik incorporated a code that allows it to exfiltrate camera images from the compromised device each time it receives the command “GET_ALL_CAMERA_PICTURES” from the server.

Figure 22 – Stealing camera pictures
Figure 22 – Stealing camera pictures

Modifying Clipboard Content

This malware also has the ability to modify the contents of the clipboard when it receives a command labeled “WRITECLIPBOARD.” This capability enables the malware to potentially alter important information, such as bank account numbers or phone numbers, while the victim initiates a financial transaction.

Figure 23 – Changing Clipboard content
Figure 23 – Changing Clipboard content

Targeting Specific Banking And UPI Application Components

Additionally, the malware acquires a list of component names for targeted applications through the “getCilentCMD” command, storing these components in a shared preference file under the variable “CLICKJACK.” These components include login elements for UPI, mobile banking applications, and the Android settings app, as depicted in the figure below. Whenever the victim engages with any of these components, the malware activates screen recording and keylogging to exfiltrate login credentials.

Figure 24 – Malware receives targeted app activity component name
Figure 24 – Malware receives targeted app activity component name

The earlier variant of Drinik represented a significant transformation from basic phishing malware to a more advanced version. However, the updated variant, with several noticeable alterations, underscores the ongoing development of this malware and its continued distribution.

Conclusion

Since 2020, Drinik malware has been consistently targeting Indian taxpayers, especially during the tax return filing season. In each resurgence, the malware has undergone several changes. In this latest variant, it not only retains its previous malicious activities but also introduces new features designed to enhance its persistence and make it challenging for victims to remove.

Moreover, it possesses advanced capabilities to covertly harvest users’ banking details without their knowledge and has expanded its target list to include UPI applications. This highlights the ongoing threat posed by this malware in compromising sensitive financial information. Users must remain vigilant and implement robust security measures to protect their personal and financial data.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device to avoid unauthorized access obtained using malicious activities such as keylogging and screen recording.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated.
  • If Drinik malware has compromised your device, take the following steps: boot your device into safe mode and proceed to uninstall the malware, as it prevents the Factory Reset.

MITRE ATT&CK® Techniques

Tactic Technique ID Procedure
Persistence (TA0028) Event-Triggered Execution (T1624.001) Drinik triggers incoming SMS stealer code based on the SMS broadcast receiver
Defense Evasion
(
TA0030)
Impair Defenses (T1629.001) Drinik prevents uninstallation
Defense Evasion
(
TA0030)
Indicator Removal on Host (T1630.002) Drinik deletes SMSs from the infected device
Collection (TA0035) Call Control (T1616) Drinik can disallow or block incoming call
Collection (TA0035) Protected User Data: Contact List (T1636.003) Steals contact list
Collection (TA0035) Screen Capture (T1513) Steals recorded screen content
Collection (TA0035) Data from Local System (T1533) Steals camera pictures
Collection (TA0035) Input Capture: Keylogging (T1417.001) Uses keylogging to steal netbanking credentials
Impact (TA0034) SMS Control (T1582) Drinik can send and delete SMS
Command and Control (TA0037) Application Layer Protocol: Web Protocols (T1437.001) Communicated with C&C server using HTTP
Exfiltration (TA0036) Exfiltration Over C2 Channel (T1646) Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
ad1ff9a584cd143eb1c950692fd0b3223c7f285f09c33cf9a6cd9591c45fd489 6b52f3687e7688b187960f3af0e42575872d7c1b bc8a2d4ea47e579f7b9a050084c4633c SHA256
SHA1
MD5
Hash of analyzed APK
hxxp://107.174.45[.]116/ip2/?ITR URL Distribution URL
hxxp://78.110.116[.]82/~serverxp/R7UWUA/?itrMobile URL Phishing page
hxxp://198.46.177[.]159/VDAJ/index.php?dir=../apk/9dg URL Download URL
c0554461dd0bac1a3b80ab1329e1a4eb9f993f8a666bcb9c4d0915273092d062
f3d4ad7dd8a48b72c18d3e1c5f769adaf01636fa
eb5f423c7c5536e926abde36993a2b30
SHA256 SHA1 MD5 Downloaded APK Hash
hxxp://192.3.124[.]14/us/Child[.]apk URL Download URL

Source: https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/