Elibomi / Drinik¶
India-focused spyware and banking trojan targeting Indian taxpayers and bank customers. First seen in November 2020, Elibomi evolved through multiple stages, progressing from a simple phishing tool to a full banking trojan with screen recording, keylogging, and Accessibility Service abuse. CERT-In issued an advisory in September 2021 warning about Drinik (an evolved variant name) targeting customers of 27 banks.
Overview¶
| Property | Value |
|---|---|
| First Seen | November 2020 (Elibomi); Drinik SMS stealer variants date to 2016 |
| Type | Spyware / Banking trojan |
| Attribution | Unknown (India-exclusive targeting) |
| Aliases | Android/Elibomi (McAfee), Drinik (Cyble, CloudSEK) |
Distribution¶
SMS phishing (smishing) with personalized messages containing the victim's name. Impersonated Indian Income Tax Department and iMobile apps.
Evolution¶
| Version | Period | Capabilities |
|---|---|---|
| v1 (Elibomi) | 2020-2021 | Phishing pages for banking credentials, SMS permissions, Device Admin |
| v2 (Drinik) | 2022 | Added screen recording + phishing, targeted 18+ Indian banks |
| v3 (Drinik) | 2023 | Loads genuine Income Tax website, screen recording + keylogging, Accessibility abuse, overlay attacks |
Notable Campaigns¶
- November 2020: Fake "IT Certificate" app
- May 2021: Fake iMobile Income Tax app
- September 2021: CERT-In advisory warning about Drinik targeting 27 banks
- 2022-2023: Evolved variants targeting 18+ Indian banks with advanced capabilities
Sensitive stolen data was found exposed on the internet, not just in attacker hands.