In October last year, analysts at Cyble published an article on the return of the Drinik malware that was first spotted by CERT-In in 2016. Last month during the tax-paying season of the year, I (Sharad Agarwal), a Ph.D. student at University College London (UCL) researching SMS phishing, found and identified an updated version of the Drinik malware that impersonates the Income Tax Department of India and targets the victim’s UPI (Unified Payment Interface) payment apps.
The iAssist.apk malware was being spread from the URL hxxp://198[.]46[.]177[.]176/IT-R/?id={mobile number} where the user is deceived into downloading a new version of the app, impersonating the Income Tax Department of India. Along with Daniel Arp, I analyzed the malware sample to check for new functionalities compared to previous versions. In the following, we give a brief overview of our findings.
Communication
Our analysis found that the malware communicates with the Command & Control (C&C) server hxxp://msr[.]servehttp[.]com, which is hosted on IP 107[.]174[.]45[.]116. It also silently drops another malicious APK file hosted on the C&C to the victim’s mobile that has already been identified and flagged as malware on VirusTotal – “GAnalytics.apk“.
The previous campaign used a different IP for its C&C communication. However, the hosting provider for the IP addresses, “ColoCrossing“, is the same as in the previous campaign. This strongly indicates that the Threat Actor behind both campaigns is also the same and is abusing the same hosting provider again. As has already been reported for previous versions of this malware, also the most recent version of the malware records the screen of the mobile device and sends the recorded data to the C&C server (see Figure 1).
Additionally, we also found the phone numbers used by the criminals to which the SMSs are sent through this malware (see Table 1). The malicious APK asks for READ, WRITE, RECEIVE, and SEND SMS permission during the installation and does not work unless the user accepts all the permissions (see Table 2).
| Indicator Type | Indicators |
|---|---|
| MD5 | 02e0f25d4a715e970cb235f781c855de |
| SHA256 | 99422143d1c7c82af73f8fdfbf5a0ce4ff32f899014241be5616a804d2104ebf |
| C&C hostname | hxxp://msr[.]servehttp[.]com |
| C&C IP Address | 107[.]174[.]45[.]116 |
| Dropped APK URL | hxxp://107[.]174[.]45[.]116/a/GAnalytics[.]apk |
| Dropped APK MD5 | 95adedcdcb650e476bfc1ad76ba09ca1 |
| Dropped APK SHA256 | 095fde0070e8c1a10342ab0c1edbed659456947a2d4ee9a412f1cd1ff50eb797 |
| UPI Apps targetted | Paytm, Phonepe, and GooglePay |
| SMS sent to Phone numbers | +91-7829-806-961 (Vodafone), +91-7414-984-964 (Airtel, Jaora, Madhya Pradesh), and +91-9686-590-728 (Airtel, Karnataka) |
Obfuscation
Similar to the previously reported version of the iAssist malware, this version also loads the legitimate Indian income tax site hxxps://eportal[.]incometax[.]gov[.]in using WebView, as shown in Figure 2. This new version uses a different obfuscation technique for strings to circumvent detection by antivirus products and impede its analysis. The code in Figure 3 shows the deobfuscation method used in the class azure.axs.iAssist.Bcq of the malware.
Targeting UPI payment apps
We find the following strings in the disassembled code of the onCreate method in class azure.axs.iAssist.Jcm. These indicate that this version of the malware targets UPI payment apps:
"Deposit of Rs.59,000 to your account has been reversed as your bank server did not respond on time. Kindly open GooglePay app and check your account balance for verification. Contact support immediately if your account Balance is not proper."
"Deposit of Rs.59,000 to your account has been reversed as your bank server did not respond on time. Kindly open Paytm app and check your account balance for verification. Contact support immediately if your account Balance is not proper."
"Deposit of Rs.59,000 to your account has been reversed as your bank server did not respond on time. Kindly open Phonepe app and check your account balance for verification. Contact support immediately if your account Balance is not proper."
After identifying the malware and analyzing its functionality, it was reported to the Indian Computer Emergency Response Team (CERT-In) to take the necessary actions.
| Permissions | Description |
|---|---|
| READ_SMS | Allows an application to access SMS messages |
| WRITE_SMS | Allows an application to draft SMS messages |
| SEND_SMS | Allows an application to send SMS messages |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| DOWNLOAD_WITHOUT_NOTIFICATION | Allows an application to download something without giving a notification to the user |
| POST_NOTIFICATIONS | Allows an app to post notifications |
| REQUEST_INSTALL_PACKAGES | Allows an application to request installing packages |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security |
| WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage |
| WAKE_LOCK | Allows the app to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming |
| USE_BIOMETRIC | Allows the app to use biometric hardware for authentication |
| USE_FINGERPRINT | Allows the app to use fingerprint hardware for authentication |
| VIBRATE | Allows the app to access the vibrator |