Drinik
Drinik is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, Drinik resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | Application Layer Protocol |
Drinik has code to use Firebase Cloud Messaging for receiving C2 instructions.[1] |
|
| Mobile | T1616 | Call Control |
Drinik can use the Android |
|
| Mobile | T1533 | Data from Local System |
Drinik can request the |
|
| Mobile | T1646 | Exfiltration Over C2 Channel | ||
| Mobile | T1541 | Foreground Persistence |
Drinik has C2 commands that can move the malware in and out of the foreground. [1] |
|
| Mobile | T1628 | .001 | Hide Artifacts: Suppress Application Icon | |
| Mobile | T1629 | .003 | Impair Defenses: Disable or Modify Tools |
Drinik can use Accessibility Services to disable Google Play Protect.[1] |
| Mobile | T1417 | .001 | Input Capture: Keylogging |
Drinik can use keylogging to steal user banking credentials.[1] |
| .002 | Input Capture: GUI Input Capture |
Drinik can use overlays to steal user banking credentials entered into legitimate sites.[1] |
||
| Mobile | T1406 | Obfuscated Files or Information |
Drinik has used custom encryption to hide strings, potentially to evade antivirus products.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log | |
| .004 | Protected User Data: SMS Messages | |||
| Mobile | T1513 | Screen Capture |
Drinik can record the screen via the |
|
| Mobile | T1582 | SMS Control |
Drinik can steal incoming SMS messages and send SMS messages from compromised devices. [1] |
|