S1054 Drinik
Drinik is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, Drinik resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.1
| Item | Value |
|---|---|
| ID | S1054 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 January 2023 |
| Last Modified | 13 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | Drinik has code to use Firebase Cloud Messaging for receiving C2 instructions.1 |
| mobile | T1616 | Call Control | Drinik can use the Android CallScreeningService to silently block incoming calls.1 |
| mobile | T1533 | Data from Local System | Drinik can request the READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE Android permissions.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | Drinik can send stolen data back to the C2 server.1 |
| mobile | T1541 | Foreground Persistence | Drinik has C2 commands that can move the malware in and out of the foreground. 1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Drinik can hide its application icon.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | Drinik can use Accessibility Services to disable Google Play Protect.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Drinik can use keylogging to steal user banking credentials.1 |
| mobile | T1417.002 | GUI Input Capture | Drinik can use overlays to steal user banking credentials entered into legitimate sites.1 |
| mobile | T1406 | Obfuscated Files or Information | Drinik has used custom encryption to hide strings, potentially to evade antivirus products.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | Drinik can request the READ_CALL_LOG permission.1 |
| mobile | T1636.004 | SMS Messages | Drinik can collect user SMS messages.1 |
| mobile | T1513 | Screen Capture | Drinik can record the screen via the MediaProjection library to harvest user credentials, including biometric PINs.1 |
| mobile | T1582 | SMS Control | Drinik can steal incoming SMS messages and send SMS messages from compromised devices. 1 |