{
	"id": "302b167a-ed6d-473f-9a93-8994b0b9ec4f",
	"created_at": "2026-04-06T00:18:13.140485Z",
	"updated_at": "2026-04-10T13:13:06.271191Z",
	"deleted_at": null,
	"sha1_hash": "95844a42ec5c4514ae6805c86f55fb0b8d4ebabb",
	"title": "Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1919977,
	"plain_text": "Drinik Malware Returns With Advanced Capabilities Targeting\r\nIndian Taxpayers\r\nBy cybleinc\r\nPublished: 2022-10-27 · Archived: 2026-04-05 22:38:11 UTC\r\nAndroid Banking Trojan Stealing User’s Data Via Screen Recording and Keylogging\r\nIn September 2021, the Indian Computer Emergency Response Team (CERT-In) issued a warning about a new malware\r\nstrain targeting Indian taxpayers and mentioned that customers of around 27 banks were at risk of this attack.\r\nThe Threat Actors (TA) behind this campaign were suspected of using Drinik malware. An early variant of Drinik\r\nmalware was first spotted in 2016 as an SMS stealer. Around August 2021, the malware was observed to be active\r\nagain, this time evolving into an Android banking trojan.\r\nCyble Research \u0026 Intelligence Labs (CRIL) has constantly been monitoring the different variants of Drinik Android\r\nmalware. In September 2021, CRIL released a blog on a masquerading income tax application that targeted Indian\r\ntaxpayers to steal Personally Identifiable Information (PII) and banking credentials through phishing attacks.\r\nRecently, CRIL identified an upgraded version of Drinik impersonating the Income Tax Department of India and\r\ntargeting 18 Indian banks (bank names are explicitly mentioned in the malicious APK file).\r\nThe TA uses the same campaign theme to lure the victim, but the malware has been upgraded with advanced\r\ncapabilities. We have listed the main features implemented in the new variant, making the malware an advanced threat:\r\nScreen Recording to harvest credentials\r\nKeylogging\r\nAbusing CallScreeningService to manage incoming calls\r\nReceiving commands via FirebaseCloudMessaging\r\nThe malware variant is communicating with Command \u0026 Control (C\u0026C) server hxxp://gia[.]3utilities.com, which is\r\nhosted on IP 198[.]12.107[.]13. Our investigation confirmed that the previous campaign also used the same IP for its\r\nC\u0026C communication, indicating that the Threat Actor (TA) behind both campaigns is the same.\r\nThe below figure shows the details of the C\u0026C IP address and its connection with the previous campaign.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 1 of 13\n\nFigure 1 – IP address of C\u0026C server associated with old Drinik variant\r\nEvolution of Drinik:\r\nCRIL observed 3 different variants of this malware since last year. The first variant was observed in September 2021,\r\nwhen the malware used phishing pages to steal credentials. In 2022, two new variants have been identified in the wild,\r\nintroducing Screen Recording and Keylogging features.\r\nThe figure below shows the timeline of Drinik malware and its features.\r\nFigure 2 – Evolution of Drinik Banking Trojan\r\nDuring our investigation, we found that the first version uses a simple phishing page to steal banking credentials,\r\nwhereas the second version uses screen recording alongside the phishing technique.\r\nFinally, the third and latest version loads the genuine income tax department site and uses screen recording along with a\r\nkeylogging functionality to steal the login credentials. The below figure shows the login page of three different\r\nversions.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 2 of 13\n\nFigure 3 – Login pages of Drinik malware versions\r\nIn this analysis, we take a look at the latest sample “iAssist.apk\r\n(86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523)” of Drinik malware observed on October\r\n18, 2022, which has additional code for abusing the CallScreeningService.\r\nBy abusing this service, the malware can disallow incoming calls without the user’s knowledge. Additionally, the\r\nstrings present in the file are encrypted to evade detection by antivirus products, and the malware decrypts them during\r\nrun time using a custom decryption logic. The figure below shows the code snippet used by the malware to decrypt the\r\nencrypted strings.\r\nFigure 4 – Code to decrypt strings\r\nTechnical Analysis\r\nAPK Metadata Information  \r\nApp Name: iAssist\r\nPackage Name: lincoln.auy.iAssist\r\nSHA256 Hash: 86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523\r\nThe metadata information of the application is shown below.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 3 of 13\n\nFigure 5 – App Metadata Information \r\nManifest Description  \r\nThe harmful permissions requested by the malware are:  \r\nPermission   Description \r\nRECEIVE_SMS Allows an application to receive SMS messages\r\nREAD_SMS Access phone messages\r\nSEND_SMS Allows the application to send SMS messages\r\nREAD_CALL_LOG Allows an app to read the user’s call log\r\nREAD_EXTERNAL_STORAGE Allows an application to read from external storage.\r\nWRITE_EXTERNAL_STORAGE Allows an application to write to external storage.\r\nSource Code Review  \r\nLike many other banking trojans, the new variant of Drinik relies on the Accessibility Service. After launching, the\r\nmalware prompts the victim to grant permissions, followed by a request to enable Accessibility Service.\r\nIt then starts abusing the service to obtain the necessary permissions to start screen recording, disable Google Play\r\nProtect, execute auto-gestures, and capture key logs.\r\nFigure 6 – Malware prompting users to grant Accessibility Service permissions\r\nThe latest Drinik variant loads the genuine Indian income tax site hxxps://eportal[.]incometax.gov.in using WebView\r\ninstead of displaying fake phishing pages.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 4 of 13\n\nFigure 7 – Malware loading genuine Indian income tax portal using Webview\r\nBefore showing the login page to the victim, the malware displays an authentication screen for biometric verification.\r\nWhen the victim enters a PIN, the malware steals the biometric PIN by recording the screen using MediaProjection and\r\nalso captures keystrokes.\r\nThe malware now sends the stolen details to the C\u0026C server, as shown below.\r\nFigure 8 – Malware sending Biometric PIN to C\u0026C Server\r\nAfter authentication, the malware displays the genuine site loaded into a Webview. Drinik starts screen recording as\r\nsoon as the victim enters the User ID (such as PAN/AADHAR/Other valid user ID) and sends the recording to the C\u0026C\r\nserver.\r\nIn the latest version of Drinik, the TA only targets victims with legitimate income tax site accounts.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 5 of 13\n\nFigure 9 – Malware loading genuine income tax site\r\nOnce the victim logs in to the genuine site, the malware executes the onPageFinished() method, which further checks\r\nthe loaded URL\r\nto validate the login status.\r\nThe malware then checks if the loaded URL is any of the following and confirms the user’s successful login.\r\nhxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard   \r\nhxxps://eportal.incometax[.]gov.in/iec/foservices/#/login  \r\nFigure 10 – Malware executing onPageFinished()\r\nIf the onPageFinished() method receives a URL hxxps://eportal.incometax[.]gov.in/iec/foservices/#/login, this indicates\r\nthat the login has failed.\r\nThe malware can also save the login state and retrieves them using the getLogingStat command, which can identify\r\nwhether the victim is new or has already logged in.\r\nIf the victim is new, the malware shows a message “To use this functionality, you are required to log in first!” and\r\nprompts them to log in. Otherwise, the malware will initiate the phishing activity, considering the user logged in\r\nsuccessfully. The below figure shows the code snippet to receive the login status.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 6 of 13\n\nFigure 11 – Receiving login status\r\nAfter successful login, the genuine site redirects to the dashboard URL\r\n“hxxps://eportal.incometax[.]gov.in/iec/foservices/#/dashboard”. The malware now checks whether this URL is in the\r\nonPageFinished() method and displays a fake dialogue box mentioning the below message:\r\nOur database indicates that you are eligible for an instant tax refund of Rs.57,100.\\– from your previous tax\r\nmiscalculations till date. Click Apply to apply for instant refund and receive your refund in your registered bank\r\naccount in minutes.\r\nFigure 12 – Malware displaying dialogue box after successful login\r\nWhen the victim clicks the “Apply” button, the malware opens the phishing URL\r\nhxxp://gia.3utilities[.]com/Refund/redir.php?i=RefundApproved\u0026source=App\u0026uid= as shown in the below figure.\r\nFigure 13 – Malware loading phishing URL\r\nThe phishing URL redirects to: hxxp://192.227.196[.]185/1305275237/uv4h.php?\r\naction=Refund_Approved\u0026id=YWI1MzYxY0A3OTEyNDA0MzY2NTMuY29t\u0026owner=QWRtaW4%3D\u0026source=App\u0026uid=\r\nsite which impersonates the genuine Income Tax Department of India to lure victims into submitting sensitive data.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 7 of 13\n\nFigure 14 – Phishing refund page\r\nAfter clicking on the “Proceed to the verification steps” button, the malware prompts the victim to submit personal\r\ndetails such as full name, Aadhar number, PAN number, and other details along with financial information, which\r\nincludes Account number, Credit card number, CVV, and PIN.\r\nThis stolen data is further sent to the C\u0026C server and can be used by the TA to perform fraudulent transactions.\r\nFigure 15 – Phishing site asking for personal details\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 8 of 13\n\nFigure 16 – Phishing site asking for financial information\r\nAfter submitting details, the malware displays the confirmation page with all the details entered by the victim. Further,\r\nit prompts the victim to verify ITR (Income Tax Returns) details using net banking credentials.\r\nFigure 17 – Confirmation details page\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 9 of 13\n\nFigure 18 – Phishing site prompting net banking credentials for verification\r\nAlongside stealing credentials via screen recording and phishing pages, we also observed the malware targeting Indian\r\nbanks by abusing the Accessibility Service.\r\nWhenever any event triggers the Accessibility Service, the malware checks the source of the event with the bank\r\nkeywords stored in a shared preference key “newCLICKJACK”. If the keyword matches, the malware collects the\r\nkeylogging data, which could contain banking credentials.\r\nFigure 19 – Targeting Indian banks with a keylogging feature\r\nThe malware has registered a CallScreeningService in the manifest file. Default dialers or third-party apps use the\r\nCallScreeningService to allow or disallow incoming calls before displaying them to users.\r\nDrinik malware abuses this service to disallow incoming calls, likely to prevent the interruption of any ongoing\r\nmalicious activities, and sends the incoming call status to the C\u0026C server.\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 10 of 13\n\nFigure 20 – Malware abusing CallScreeningService to disallow incoming calls\r\nThe malware receives the command via FirebaseCloudMessaging (FCM) and saves them to the variable\r\n“processCMD”.\r\nThe malware further executes the respective malicious task based on the commands received from FCM to perform\r\nother malicious activities on an infected device. Some of the commands received via FCM are:\r\nCommand Description\r\nVERIFYMOBILE Verify the device registration status\r\nOPENAPPCOMPONENT Starts the app component activity received from the server\r\nGETAUTOCMD Sends AutoCMD value from shared preference file to the C\u0026C server\r\nDISABLE_ICON Hides the icon\r\nKILLSOUND Silent audio for calls and notifications\r\nCHECKOVERLAY Sends the overlay status\r\nDEFOREGROUNDIFY Stops foreground service\r\nConclusion \r\nSome well-known Android banking trojans such as Hydra, BRATA, Anubis, and several others heavily rely on the\r\nAccessibility Service and have developed advanced features by successfully abusing this service.\r\nCRIL observed that Drinik malware is also similarly evolving into an advanced threat by implementing powerful\r\nfeatures that we have observed in other banking trojans.\r\nOur analysis indicates that the TA behind Drinik is constantly working on updating their malware with new and\r\nadvanced features. The TA had initially started developing malware by implementing sophisticated phishing pages for\r\ncredential harvesting. However, our observations show that they have enhanced their framework with advanced\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 11 of 13\n\nfeatures such as screen recording and keylogging to steal credentials of genuine income tax sites, banking credentials,\r\nand biometric details as well.\r\nThe malware is still developing, and we may observe a new variant of Drinik malware with new targets and techniques\r\nto target their victims.\r\nOur Recommendations \r\nDownload and install software only from official app stores like Play Store or the iOS App Store. \r\nNever share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile\r\ndevice to avoid unauthorized access obtained using malicious activities such as keylogging and screen\r\nrecording.\r\nUsing a reputed antivirus and internet security software package is recommended on connected devices,\r\nincluding PC, laptops, and mobile.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nBe wary of opening any links received via SMS or emails delivered to your phone. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nBe careful while enabling any permissions. \r\nKeep your devices, operating systems, and applications updated. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Means.\r\nInitial Access T1444 Masquerade as a Legitimate Application\r\nDefense Evasion T1418 Application discovery\r\nDiscovery T1426 System Information Discovery\r\nImpact T1616 Call Control\r\nCollection T1513 Screen Capture\r\nPersistence T1402 Broadcast Receivers\r\nCollection T1412 Capture SMS Messages\r\nCredential Access T1411 Input Prompt\r\nExfiltration T1567 Exfiltration Over Web Service\r\nIndicators of Compromise (IOCs) \r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 12 of 13\n\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\nba2fb55bb89c98aec3a2130b22584d8c299451ba SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\n0c6257e385f33e46c1839f59bc4b53d7 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxp://gia.3utilities[.]com URL C\u0026C URL\r\nhxxp://192[.]227.196.185 URL\r\nMalicious\r\nIP hosting\r\nfake ITR\r\nsite\r\n198[.]12.107[.]13 IP\r\nIP hosting\r\nC\u0026C server\r\nSource: https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targetin\r\ng-indian-taxpayers/\r\nhttps://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
	],
	"report_names": [
		"drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434693,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95844a42ec5c4514ae6805c86f55fb0b8d4ebabb.pdf",
		"text": "https://archive.orkl.eu/95844a42ec5c4514ae6805c86f55fb0b8d4ebabb.txt",
		"img": "https://archive.orkl.eu/95844a42ec5c4514ae6805c86f55fb0b8d4ebabb.jpg"
	}
}