Bank clients in the Central Asia area have become targets of a new form of Android malware named Ajina.Banker since at least November 2024 aiming to gather financial details and intercept two-factor authentication (2FA) messages.
Group-IB, a Singapore-based organization that unveiled the threat in May 2024, mentioned that the malware is spread through a system of Telegram channels created by the cybercriminals under the pretense of legitimate applications linked to banking, payment platforms, government services, or daily tools.
“The criminal has a group of partners incentivized by financial advantages, disseminating Android bank malware that focuses on regular users,” Cybersecurity analysts Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov stated.
The targets in this ongoing operation include nations like Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.
There are indications suggesting that parts of the Telegram-based malware distribution process might have been automated to enhance effectiveness. The multiple Telegram accounts are designed to deliver tailored messages that contain connections — either to other Telegram channels or outside sources — and APK files to unsuspecting individuals.
The utilization of connections directing to Telegram channels hosting the malicious files has an additional advantage in circumventing security measures and restrictions imposed by many community chats, thereby permitting the accounts to dodge bans when automated moderation is activated.
In addition to exploiting the trust users have in genuine services to maximize infection rates, the mode of operation also entails disseminating the malicious files in local Telegram chats by presenting them as giveaways and promotions that guarantee profitable rewards and exclusive service access.
“The employment of themed messages and localized promotion tactics turned out to be particularly successful in regional community chats,” the analysts stated. “By customizing their strategy to the interests and requirements of the local populace, Ajina was able to notably enhance the probability of successful infections.”
The threat actors have also been spotted flooding Telegram channels with numerous messages utilizing multiple accounts, occasionally concurrently, indicating a coordinated initiative that probably deploys some sort of automated distribution equipment.
The malware itself is rather simple in that, once set up, it initiates contact with a remote server and requests the victim to authorize access to SMS messages, phone number APIs, and current cellular network data, among other things.
Ajina.Banker can acquire SIM card data, a roster of installed financial apps, and SMS messages, which are then sent to the server.
New iterations of the malware are also structured to provide phishing pages in an effort to accumulate banking information. Moreover, they can retrieve call logs and contacts, as well as misuse Android’s accessibility services API to impede deletion and give themselves additional permissions.
“The utilization of Java programmers, establishing Telegram bot with the proposition of earning a profit, also implies that the tool is presently in active development and has the backing of a group of affiliated personnel,” the analysts mentioned.
“Evaluation of the file names, sample distribution techniques, and other actions of the cybercriminals points to a shared familiarity with the region in which they are operating.”
The announcement comes as Zimperium identified connections between two Android malware varieties identified as SpyNote and Gigabud (which is a component of the GoldFactory family that also includes GoldDigger).
“Domains with very similar structures (using identical unusual keywords as subdomains) and targets utilized to disseminate Gigabud samples and were also utilized to spread SpyNote samples,” the company stated. “This overlap in distribution shows that the same threat actor probably controls both malware families, pointing to a well-coordinated and comprehensive campaign.”
About Author
