New Android malware steals banking data: Here's how it works
What's the story
The Indian Computer Emergency Response Team (CERT-In), the Indian government's cybersecurity agency, has warned of a potential threat to Android users.
A malware called Drinik has been spotted in the wild, trying to steal money and sensitive banking information of the victim on the pretext of generating income tax refunds.
Customers of over 27 Indian banks have already fallen victim.
Here are more details.
Drinik malware
Malicious app and website masquerading as Income Tax Department's offerings
In an advisory released online, CERT-In noted that the bad actors behind this Android malware are essentially running a good-old phishing scam. The victims receive an SMS containing a link to a malicious website that looks like the Income Tax Department's portal.
The website reportedly seeks personal information and then prompts the victim to download an Android app laced with the Drinik malware.
Modus operandi
Malicious app seeks access to call logs, SMS
The unsuspecting victim is prompted to download and install the malicious app on the pretext of completing verification. Post-installation, this app, which looks like something from the Income Tax Department, requests access to necessary device permissions such as SMS, call logs, contacts, etc.
The same screen from the malicious website is displayed and the user is asked to enter all the details to proceed.
Under your nose
App steals confidential banking information including PIN, CVV
The form on the app collects the victim's full name, PAN, mobile number, Aadhaar number, address, date of birth, and email address. It also collects financial details such as account number, IFS Code, CIF number, debit card number, expiry date, CVV, and PIN.
The app then claims that the victim is eligible for a tax refund that could be transferred to their bank account.
Details
Attacker generates bank-specific screens for the victim
The instant the victim presses the Transfer button, the app claims to have encountered an error and displays an update screen. In the background, the Drinik Trojan sends the attacker all the collected details, call logs, and SMSes.
The attacker uses these details to generate a bank-specific mobile banking screen for the victim. Here, the victim is prompted to enter their mobile banking details.
Elaborate scam
CERT-In warns this could lead to large-scale financial fraud
Obviously, the mobile banking details are also relayed to the attacker, thereby jeopardizing the safety of the victim's identity and bank accounts. CERT-In warned that this could lead to large-scale financial fraud.
In its advisory, CERT-In noted that the best way to avoid such malware is to download apps only from reputable sources such as the Google Play Store and Apple App Store.