Malware

Return of a new version of Drinik Android malware targeting Indian Taxpayers

In October last year, analysts at Cyble published an article on the return of the Drinik malware that was first spotted by CERT-In in 2016. Last month during the tax-paying season of the year, I (Sharad Agarwal), a Ph.D. student at University College London (UCL) researching SMS phishing, found and identified an updated version of the Drinik malware that impersonates the Income Tax Department of India and targets the victim’s UPI (Unified Payment Interface) payment apps.

The iAssist.apk malware was being spread from the URL hxxp://198[.]46[.]177[.]176/IT-R/?id={mobile number} where the user is deceived into downloading a new version of the app, impersonating the Income Tax Department of India. Along with Daniel Arp, I analyzed the malware sample to check for new functionalities compared to previous versions. In the following, we give a brief overview of our findings.

Communication

Our analysis found that the malware communicates with the Command & Control (C&C) server hxxp://msr[.]servehttp[.]com, which is hosted on IP 107[.]174[.]45[.]116. It also silently drops another malicious APK file hosted on the C&C to the victim’s mobile that has already been identified and flagged as malware on VirusTotal – “GAnalytics.apk“.

The previous campaign used a different IP for its C&C communication. However, the hosting provider for the IP addresses, “ColoCrossing“, is the same as in the previous campaign. This strongly indicates that the Threat Actor behind both campaigns is also the same and is abusing the same hosting provider again. As has already been reported for previous versions of this malware, also the most recent version of the malware records the screen of the mobile device and sends the recorded data to the C&C server (see Figure 1).

Function to upload recorded videos to external C&C server.
Figure 1: Function to upload recorded videos to external C&C server.

Additionally, we also found the phone numbers used by the criminals to which the SMSs are sent through this malware (see Table 1). The malicious APK asks for READ, WRITE, RECEIVE, and SEND SMS permission during the installation and does not work unless the user accepts all the permissions (see Table 2).

Indicator Type Indicators
MD5 02e0f25d4a715e970cb235f781c855de
SHA256 99422143d1c7c82af73f8fdfbf5a0ce4ff32f899014241be5616a804d2104ebf
C&C hostname hxxp://msr[.]servehttp[.]com
C&C IP Address 107[.]174[.]45[.]116
Dropped APK URL hxxp://107[.]174[.]45[.]116/a/GAnalytics[.]apk
Dropped APK MD5 95adedcdcb650e476bfc1ad76ba09ca1
Dropped APK SHA256 095fde0070e8c1a10342ab0c1edbed659456947a2d4ee9a412f1cd1ff50eb797
UPI Apps targetted Paytm, Phonepe, and GooglePay
SMS sent to Phone numbers +91-7829-806-961 (Vodafone), +91-7414-984-964 (Airtel, Jaora, Madhya Pradesh), and +91-9686-590-728 (Airtel, Karnataka)
Table 1: Indicators of Compromise (IoCs)

Obfuscation

Similar to the previously reported version of the iAssist malware, this version also loads the legitimate Indian income tax site hxxps://eportal[.]incometax[.]gov[.]in using WebView, as shown in Figure 2. This new version uses a different obfuscation technique for strings to circumvent detection by antivirus products and impede its analysis. The code in Figure 3 shows the deobfuscation method used in the class azure.axs.iAssist.Bcq of the malware.

The malware loads the website of the Indian income tax department.
Figure 2: The malware loads the website of the Indian income tax department.

 

Code used to deobfuscate strings found in the malware.
Figure 3: Code used to deobfuscate strings found in the malware.

Targeting UPI payment apps

We find the following strings in the disassembled code of the onCreate method in class azure.axs.iAssist.Jcm. These indicate that this version of the malware targets UPI payment apps:

"Deposit of Rs.59,000 to your account has been reversed as your bank server did not respond on time. Kindly open GooglePay app and check your account balance for verification. Contact support immediately if your account Balance is not proper."
"Deposit of Rs.59,000 to your account has been reversed as your bank server did not respond on time. Kindly open Paytm app and check your account balance for verification. Contact support immediately if your account Balance is not proper."
"Deposit of Rs.59,000 to your account has been reversed as your bank server did not respond on time. Kindly open Phonepe app and check your account balance for verification. Contact support immediately if your account Balance is not proper."

After identifying the malware and analyzing its functionality, it was reported to the Indian Computer Emergency Response Team (CERT-In) to take the necessary actions.

Permissions Description
READ_SMS Allows an application to access SMS messages
WRITE_SMS Allows an application to draft SMS messages
SEND_SMS Allows an application to send SMS messages
RECEIVE_SMS Allows an application to receive SMS messages
DOWNLOAD_WITHOUT_NOTIFICATION Allows an application to download something without giving a notification to the user
POST_NOTIFICATIONS Allows an app to post notifications
REQUEST_INSTALL_PACKAGES Allows an application to request installing packages
DISABLE_KEYGUARD Allows the app to disable the keylock and any associated password security
WRITE_EXTERNAL_STORAGE Allows an application to write to external storage
READ_EXTERNAL_STORAGE Allows an application to read from external storage
WAKE_LOCK Allows the app to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming
USE_BIOMETRIC Allows the app to use biometric hardware for authentication
USE_FINGERPRINT Allows the app to use fingerprint hardware for authentication
VIBRATE Allows the app to access the vibrator
Table 2: Permissions: iAssist.apk

One thought on “Return of a new version of Drinik Android malware targeting Indian Taxpayers”

Leave a Reply

Your email address will not be published. Required fields are marked *