Indian Computer Emergency Response Team has now sent a notification for all Android users to beware of malware called Drinik. Drinik malware is circulated through an application that spreads the malware to extract all the sensitive information by promising to generate income tax refunds. According to the CERT-In, a customer base of more than 27 Indian major public and private sector banks has already been targeted by this new Android Malware.

The experts at the nodal agency said that the attackers target victims using a link to a phishing fake website of the Income Tax Department portal. The website then asks the users for permission to install an app that will spread the Drinik malware on your phone.

What is Drinik Malware?

Drinik Malware is one of the most common Android malware that is currently in circulation. The malware helps the hackers to extract sensitive information from the phone just by installing an app. The victim usually receives a link from an SMS related to an income tax refund. Clicking on this link starts the download of an APK file and once the file has been installed, your phone becomes an easy target for hackers. Keep in mind that most of the malware is usually spread through APK files and the official websites never ask a user to install an app from an unauthorised source.

Some of the users have also reported if no details have been added to the fake website, then the same form pops up on the malware app until the users had filled and submitted it. The form will ask for sensitive data like the user’s full name, PAN, Aadhaar number, address, date of birth, mobile number, email address and financial details like account number, IFS code, CIF number, debit card number, expiry date, CVV and PIN. Apart from this, here is a list of hashes and servers that can be used for reference while identifying the Drinik Malware. Read

How to identify the Drinik Malware?

Check for file Hashes like:

103824893e45fa2177e4a655c0c77d3b

28ef632aeee467678b9ac2d73519b00b

78745bddd887cb4895f06ab2369a8cce

8cc1e2baeb758b7424b6e1c81333a239

e60e4f966ee709de1c68bfb1b96a8cf7

00313e685c293615cf2e1f39fde7eddd

04c3bf5dbb5a27d7364aec776c1d8b3b

Check for C2 servers like:

jsig.quicksytes[.]com

c4.mypsx[.]net

fcm.pointto[.]us

Rfb.serveexchange[.]com

Check for Spreading URLs like: