Android Banking Trojan Stealing User’s Data Via Screen Recording and Keylogging
In September 2021, the Indian Computer Emergency Response Team (CERT-In) issued a warning about a new malware strain targeting Indian taxpayers and mentioned that customers of around 27 banks were at risk of this attack.
The Threat Actors (TA) behind this campaign were suspected of using Drinik malware. An early variant of Drinik malware was first spotted in 2016 as an SMS stealer. Around August 2021, the malware was observed to be active again, this time evolving into an Android banking trojan.
Cyble Research & Intelligence Labs (CRIL) has constantly been monitoring the different variants of Drinik Android malware. In September 2021, CRIL released a blog on a masquerading income tax application that targeted Indian taxpayers to steal Personally Identifiable Information (PII) and banking credentials through phishing attacks.
Recently, CRIL identified an upgraded version of Drinik impersonating the Income Tax Department of India and targeting 18 Indian banks (bank names are explicitly mentioned in the malicious APK file).
The TA uses the same campaign theme to lure the victim, but the malware has been upgraded with advanced capabilities. We have listed the main features implemented in the new variant, making the malware an advanced threat:
- Screen Recording to harvest credentials
- Abusing CallScreeningService to manage incoming calls
- Receiving commands via FirebaseCloudMessaging
The malware variant is communicating with Command & Control (C&C) server hxxp://gia[.]3utilities.com, which is hosted on IP 198[.]12.107[.]13. Our investigation confirmed that the previous campaign also used the same IP for its C&C communication, indicating that the Threat Actor (TA) behind both campaigns is the same.
The below figure shows the details of the C&C IP address and its connection with the previous campaign.
Evolution of Drinik:
CRIL observed 3 different variants of this malware since last year. The first variant was observed in September 2021, when the malware used phishing pages to steal credentials. In 2022, two new variants have been identified in the wild, introducing Screen Recording and Keylogging features.
The figure below shows the timeline of Drinik malware and its features.
During our investigation, we found that the first version uses a simple phishing page to steal banking credentials, whereas the second version uses screen recording alongside the phishing technique.
Finally, the third and latest version loads the genuine income tax department site and uses screen recording along with a keylogging functionality to steal the login credentials. The below figure shows the login page of three different versions.
In this analysis, we take a look at the latest sample “iAssist.apk (86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523)” of Drinik malware observed on October 18, 2022, which has additional code for abusing the CallScreeningService.
By abusing this service, the malware can disallow incoming calls without the user’s knowledge. Additionally, the strings present in the file are encrypted to evade detection by antivirus products, and the malware decrypts them during run time using a custom decryption logic. The figure below shows the code snippet used by the malware to decrypt the encrypted strings.
APK Metadata Information
- App Name: iAssist
- Package Name: lincoln.auy.iAssist
- SHA256 Hash: 86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523
The metadata information of the application is shown below.
The harmful permissions requested by the malware are:
|RECEIVE_SMS||Allows an application to receive SMS messages|
|READ_SMS||Access phone messages|
|SEND_SMS||Allows the application to send SMS messages|
|READ_CALL_LOG||Allows an app to read the user’s call log|
|READ_EXTERNAL_STORAGE||Allows an application to read from external storage.|
|WRITE_EXTERNAL_STORAGE||Allows an application to write to external storage.|
Source Code Review
Like many other banking trojans, the new variant of Drinik relies on the Accessibility Service. After launching, the malware prompts the victim to grant permissions, followed by a request to enable Accessibility Service.
It then starts abusing the service to obtain the necessary permissions to start screen recording, disable Google Play Protect, execute auto-gestures, and capture key logs.
The latest Drinik variant loads the genuine Indian income tax site hxxps://eportal[.]incometax.gov.in using WebView instead of displaying fake phishing pages.
Before showing the login page to the victim, the malware displays an authentication screen for biometric verification. When the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and also captures keystrokes.
The malware now sends the stolen details to the C&C server, as shown below.
After authentication, the malware displays the genuine site loaded into a Webview. Drinik starts screen recording as soon as the victim enters the User ID (such as PAN/AADHAR/Other valid user ID) and sends the recording to the C&C server.
In the latest version of Drinik, the TA only targets victims with legitimate income tax site accounts.
Once the victim logs in to the genuine site, the malware executes the onPageFinished() method, which further checks the loaded URL to validate the login status.
The malware then checks if the loaded URL is any of the following and confirms the user’s successful login.
If the onPageFinished() method receives a URL hxxps://eportal.incometax[.]gov.in/iec/foservices/#/login, this indicates that the login has failed.
The malware can also save the login state and retrieves them using the getLogingStat command, which can identify whether the victim is new or has already logged in.
If the victim is new, the malware shows a message “To use this functionality, you are required to log in first!” and prompts them to log in. Otherwise, the malware will initiate the phishing activity, considering the user logged in successfully. The below figure shows the code snippet to receive the login status.
After successful login, the genuine site redirects to the dashboard URL “hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard”. The malware now checks whether this URL is in the onPageFinished() method and displays a fake dialogue box mentioning the below message:
Our database indicates that you are eligible for an instant tax refund of Rs.57,100.\– from your previous tax miscalculations till date. Click Apply to apply for instant refund and receive your refund in your registered bank account in minutes.
When the victim clicks the “Apply” button, the malware opens the phishing URL hxxp://gia.3utilities[.]com/Refund/redir.php?i=RefundApproved&source=App&uid= as shown in the below figure.
The phishing URL redirects to: hxxp://192.227.196[.]185/1305275237/uv4h.php?action=Refund_Approved&id=YWI1MzYxY0A3OTEyNDA0MzY2NTMuY29t&owner=QWRtaW4%3D&source=App&uid= site which impersonates the genuine Income Tax Department of India to lure victims into submitting sensitive data.
After clicking on the “Proceed to the verification steps” button, the malware prompts the victim to submit personal details such as full name, Aadhar number, PAN number, and other details along with financial information, which includes Account number, Credit card number, CVV, and PIN.
This stolen data is further sent to the C&C server and can be used by the TA to perform fraudulent transactions.
After submitting details, the malware displays the confirmation page with all the details entered by the victim. Further, it prompts the victim to verify ITR (Income Tax Returns) details using net banking credentials.
Alongside stealing credentials via screen recording and phishing pages, we also observed the malware targeting Indian banks by abusing the Accessibility Service.
Whenever any event triggers the Accessibility Service, the malware checks the source of the event with the bank keywords stored in a shared preference key “newCLICKJACK”. If the keyword matches, the malware collects the keylogging data, which could contain banking credentials.
The malware has registered a CallScreeningService in the manifest file. Default dialers or third-party apps use the CallScreeningService to allow or disallow incoming calls before displaying them to users.
Drinik malware abuses this service to disallow incoming calls, likely to prevent the interruption of any ongoing malicious activities, and sends the incoming call status to the C&C server.
The malware receives the command via FirebaseCloudMessaging (FCM) and saves them to the variable “processCMD”.
The malware further executes the respective malicious task based on the commands received from FCM to perform other malicious activities on an infected device. Some of the commands received via FCM are:
|VERIFYMOBILE||Verify the device registration status|
|OPENAPPCOMPONENT||Starts the app component activity received from the server|
|GETAUTOCMD||Sends AutoCMD value from shared preference file to the C&C server|
|DISABLE_ICON||Hides the icon|
|KILLSOUND||Silent audio for calls and notifications|
|CHECKOVERLAY||Sends the overlay status|
|DEFOREGROUNDIFY||Stops foreground service|
Some well-known Android banking trojans such as Hydra, BRATA, Anubis, and several others heavily rely on the Accessibility Service and have developed advanced features by successfully abusing this service.
CRIL observed that Drinik malware is also similarly evolving into an advanced threat by implementing powerful features that we have observed in other banking trojans.
Our analysis indicates that the TA behind Drinik is constantly working on updating their malware with new and advanced features. The TA had initially started developing malware by implementing sophisticated phishing pages for credential harvesting. However, our observations show that they have enhanced their framework with advanced features such as screen recording and keylogging to steal credentials of genuine income tax sites, banking credentials, and biometric details as well.
The malware is still developing, and we may observe a new variant of Drinik malware with new targets and techniques to target their victims.
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device to avoid unauthorized access obtained using malicious activities such as keylogging and screen recording.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PC, laptops, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1476||Deliver Malicious App via Other Means.|
|Initial Access||T1444||Masquerade as a Legitimate Application|
|Defense Evasion||T1418||Application discovery|
|Discovery||T1426||System Information Discovery|
|Collection||T1412||Capture SMS Messages|
|Credential Access||T1411||Input Prompt|
|Exfiltration||T1567||Exfiltration Over Web Service|
Indicators of Compromise (IOCs)
|86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523||SHA256||Hash of the analyzed APK file|
|ba2fb55bb89c98aec3a2130b22584d8c299451ba||SHA1||Hash of the analyzed APK file|
|0c6257e385f33e46c1839f59bc4b53d7||MD5||Hash of the analyzed APK file|
|hxxp://192[.]227.196.185||URL||Malicious IP hosting fake ITR site|
|198[.]12.107[.]13||IP||IP hosting C&C server|