The Ministry of Electronics and Information Technology's Cybersecurity agency Indian Computer Emergency Response Team (CERT-In) has released an advisory alerting users about a new malware that is attacking customers of various Indian banks.
The new mobile banking malware is called Drink. The Android mobile malware was previously used to steal SMS, a few years ago. It has recently evolved into a banking trojan that uses phishing to trick users to enter sensitive banking information.
Customers of more than 27 Indian banks including major public and private sector banks have already been targeted by the attackers using this malware, according to CERT-In
CERT-In has said that these attacks can put the privacy and security of sensitive customer data at risk, they can also lead to large-scale attacks and financial frauds.
CERT-In has said that if any such suspicious activity is noticed by the users they should immediately report it to incident@cert-in.org.in.
The CERT-In is the federal technology arm charged with preventing cyber-attacks and protecting Indian cyberspace from malware, hacking attacks, and other types of online threats.
How does the malware work?
The victim first receives an SMS with a link to download the malicious APK file in order to complete verification. They are asked to enter their personal information. This website is similar to the website of the Income Tax Department.
"This malicious Android app masquerades as the Income Tax Department app and after installation, the app asks the user to grant necessary permissions like SMS, call logs, contacts, etc," CERT-In said in the advisory.
"If the user does not enter any information on the website, the same screen with the form is displayed in the Android application and the user is asked to fill in to proceed," it read.
The required data to be entered includes PAN, Aadhaar number, address, date of birth, mobile number, email address, IFS Code, Debit card number and CVV, etc.
When the user enters the amount and clicks "Transfer", the app displays an error demonstrating a fake update screen.
"While the screen for installing the update is shown, Trojan in the backend sends the user's details including SMS and call logs to the attacker's machine," CERT-In said.
"These details are then used by the attacker to generate the bank-specific mobile banking screen and render it on the user's machine. The user is then requested to enter the mobile banking credentials which are captured by the attacker," it advisory read.