Novel Android Malware ‘Ajina.Banker’ Pilfers Financial Data and Skirts 2FA through Telegram
In the Central Asia domain, clients of financial institutions are being targeted by a recent variant of Android malware referred to as Ajina.Banker, commencing from November 2024 with the objective of gaining access to financial data and circumventing two-factor authentication (2FA) messages.
Group-IB from Singapore, the entity that detected this danger in May 2024, mentioned that the malware is spread through a series of Telegram channels created by the malevolent actors, posing as genuine applications relating to banking, payment systems, government services, as well as everyday utilities.
“A circle of affiliates driven by monetary motives, are introducing Android banker malware targeting regular users,” as stated by security analysts Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov explained.
Regions at the focus of this persistent campaign include countries like Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.
There are indications suggesting that parts of the process of distributing the Telegram-based malware may have been automated for enhanced efficiency. A variety of Telegram accounts are structured to transmit tailored messages containing links – either to different Telegram channels or external sources – along with APK files to unwitting recipients.
The utilization of links directing to Telegram channels hosting malevolent files also provides an advantage by eluding security measures and constraints implemented by various group chats, enabling the accounts to bypass bans triggered by automated moderation.
In addition to exploiting the reliance users have on legitimate services to heighten infection rates, the methodology also entails disseminating the malicious files in local Telegram chats by presenting them as giveaways and promotions promising substantial rewards and exclusive service access.
“Utilizing thematic messages and localized promotional techniques demonstrated marked effectiveness in regional community chats,” the analysts highlighted. “By adjusting their strategy to match the preferences and requirements of the local populace, Ajina managed to significantly boost successful infection prospects.”
The wrongdoers have been observed bombarding Telegram channels with multiple messages using numerous accounts concurrently, implying a concerted endeavor likely employing a form of automated dissemination mechanism.
The malware itself is relatively direct in function, as upon installation, it establsihes communication with a remote server and prompts the victim to authorize access to text messages, phone number APIs, and current cellular network specifics, among other permissions.
Ajina.Banker holds the capacity to retrieve SIM card data, a record of installed financial applications, and text messages, which are then forwarded to the server.
Recent variants of the malware are tailored to produce fake pages aiming to obtain banking data. Additionally, they can view call records and contacts, and exploit Android’s accessibility services API to impede uninstallation and allocate themselves supplementary permissions.
“The engagement of Java programmers who developed a Telegram bot proposing earnings suggests that the tool is actively under development phase and has the support of a network of affiliated personnel,” the analysts remarked.
“Scrutiny of filename patterns, sample distribution techniques, and other malicious actions of the perpetrators indicates an intimate cultural familiarity with the region they operate in.”
This disclosure coincides with Zimperium’s revelation of connections between two Android malware lineages identified as SpyNote and Gigabud (a constituent of the GoldFactory group which also encompasses GoldDigger).
“Domains exhibiting striking structural similarities (employing identical keywords as subdomains) and purposes used to circulate Gigabud samples were also employed in the dissemination of SpyNote samples,” the organization disclosed. “This confluence in distribution indicates that the same offender is likely behind both malware strains, indicating a meticulously coordinated extensive campaign.”
About Author
