Bank customers in the Central Asian region were targeted from a new strain of Android malware, dubbed Ajina.Banker, since at least November 2023, with the goal of stealing financial information and intercepting two-factor authentication (2FA) messages.
Ajina.banker and its mysterious origins
The ajina.banker malware, discovered in May 2024 by the Singapore-based company Group-IB, is being spread through a network of Telegram channels created by the same attackers behind ajina.bankerdisguised as legitimate applications related to banking, payment systems, government services or everyday utilities.
“Criminals have a network of affiliates motivated by financial gain, who spread Android banking malware targeting common users.“, they have declared security researchers Boris Martynyuk, Pavel Naumov and Anvar Anarkulov.
Ajina.banker’s goals
Countries involved in the ongoing campaign include Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine and Uzbekistan.
There is evidence to suggest that some aspects of the Telegram-based malware distribution process may have been automated to improve efficiency; the numerous Telegram accounts are designed to send specially crafted messages containing links, either to other Telegram channels or to external sources, and APK files to unsuspecting targets.
Using links to Telegram channels hosting malicious files has the advantage of bypassing security measures and restrictions imposed by many community chats, thus allowing accounts to avoid bans when automatic moderation is activated.
Exploitation of completely legitimate services of Ajina.banker
In addition to exploiting the trust that users place in legitimate services to maximize infection rates, the modus operandi includes sharing malicious files in local Telegram chats, passing them off as freebies or promotions that promise attractive prizes and exclusive access to services.
“The use of themed messages and localized promotion strategies has proven particularly effective in regional community chats.“, the researchers said. “By adapting their approach to the interests and needs of the local population, Ajina managed to significantly increase the probability of successful infections.”
The cyber criminals behind ajina-banker have also been observed while bombarding Telegram channels with numerous messages using multiple accountssometimes simultaneously, indicating a coordinated effort that likely employed an automated distribution tool.
Ajina.banker: as simple as it is “lethal”
The malware is quite simple: once installed, it establishes contact with a remote server and asks the victim for permission to access SMS messages, to phone number APIs and current cellular network information, among other things.
Ajina.Banker is able to collect information about SIM cards, a list of installed financial apps and SMS messages, which are then exfiltrated to the server.
New versions of the malware are also designed to deliver phishing pages in an attempt to collect banking information; they can also access call logs and contactsas well as abusing Android Accessibility Services APIs to prevent uninstallation and grant themselves additional permissions.
Google Play Store: Ajina.banker seems not to have touched it
Google has stated that found no evidence that the malware is being spread via the Google Play Store and that Android users are protected from the threat by Google Play Protect, which is enabled by default on Android devices with Google Play Services.
“The hiring of Java programmers and the creation of Telegram bots with the proposal to earn money also indicate that The tool is under active development and has the support of a network of affiliates“, the researchers said.
The researchers then reiterated that: “Analysis of file names, sample distribution methods, and other attacker activity suggests cultural familiarity with the region in which they operate..”
The revelation comes as Zimperium has discovered links between two Android malware families known as SpyNote And Gigabud (which is part of the GoldFactory family, which also includes GoldDigger).
“Domains with a very similar structure (using the same unusual keywords as subdomains) and the targets used to spread Gigabud samples were also used to distribute SpyNote samples.“, has declared the company. “This overlap in distribution shows that it is likely the same cybercriminal [o gruppo di criminali informatici] is behind both malware families, indicating a well-coordinated and broad campaign.”
#ajina.banker #Android #Data #Stealing #Malware #Bypasses #2FA