The SBI is reporting a bogus Department of Income Tax application that steals taxpayer information. Follow these steps to stay safe

Photo: iStock

The State Bank of India (SBI) has informed its social media followers about the harms of downloading software or apps from untrusted sources. One of the major risks of downloading dubious apps from unofficial sources is that the user may inadvertently download dangerous malware that can cause severe financial damage to the target.
SBI has alerted its users that Drinik malware is one such malware targeting Indian taxpayers to steal personally identifiable information (PII) and banking credentials through phishing attacks.
SBI is not the only one to warn its customers of the risks of accidentally downloading the dangerous Drinik malware. Earlier, the Punjab National Bank, in a report citing analysts, said the malware has evolved into an Android Trojan capable of stealing important personal information and banking credentials. It used to be operated as an SMS stealer, but has now added banking trojan features. In the new form, it is capable of recording screens, logging keystrokes, abusing accessibility services, and performing overlay attacks.

An advanced version of the Drinik malware has affected more than 18 Indian banks.

Over the years, the Drinik malware has undergone various modifications and last year CERT-In (Indian Computer Emergency Response Team) issued an advisory on this virus which affected users of 27 banks. Since then, the Drinik malware has received a few modifications that allow it to record your screen and log keystrokes.

The updated version of the malware, disguised as iAssist income tax service website tool, tricks the victim into granting unlimited access and stealing valuable information.

How Drinik malware steals your financial information

The Drinik malware comes in the form of an APK file named iAssist. Android package with the file extension apk is the file format used by the Android operating system and a number of other Android-based operating systems for the distribution and installation of mobile applications, mobile and middleware games. The iAssist is the official tax management tool of the Income Tax Department in India.

Once installed, the Drinik malware will request permission to read, receive and send SMS messages in addition to reading the user’s call log. It also asks for permission to read and write to external storage. Similar to other banking trojans, Drinik relies on the accessibility service. Since most apps require this feature, many users don’t pay attention when they click the “grant access” button. This should not be taken lightly.

The malware then disables Google Play Protect and starts performing automatic gestures and capturing key presses.

Then it loads real Indian income tax site, instead of showing fake phishing pages. Before showing the login page to the victim, the malware will display an authentication screen for biometric verification.

When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes. The stolen details are then sent to the C&C server.

Worryingly, in the latest version of Drinik, the TA only targets victims with legitimate accounts on the income tax site. After the victim successfully logs into the account, a fake dialog box will appear on the screen stating the message below: Our database indicates that you are eligible for an instant tax refund of ₹57,100 – from your previous tax calculation errors to date.

Click Apply to request an instant refund and receive your refund in your saved bank account within minutes. This is where the user is redirected to a phishing site when he clicks the apply button. The malware now prompts the victim to submit personal information such as full name, Aadhar number, PAN number and other details along with financial information including account number, credit card number, CVV and PIN. The stolen data is again sent to the C&C servers.