Recent Android Malware ‘Ajina.Banker’ Swipes Financial Information and Skips 2FA through Telegram
Customers in the Central Asia region’s banks have faced a new variety of Android malware called Ajina.Banker since at least November 2024. The goal is to gather financial details and intercept two-factor authentication (2FA) messages.
Group-IB, a company based in Singapore, who identified the threat in May 2024, mentioned that the malware is spread through a network of Telegram channels established by malicious actors under the appearance of lawful applications associated with banking, payment systems, government services, or normal utilities.
“The attacker has a group of partners driven by financial motives, circulating Android banker malware that targets regular users,” explained security experts Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov stated.
Countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan are among the targets of this continuous operation.
There are indications suggesting that some elements of the Telegram-based malware distribution process have been automated to enhance effectiveness. Various Telegram accounts are tailored to deliver customized messages including links – leading to other Telegram channels or external sources – and APK files to unsuspecting victims.
The utilization of links pointing to Telegram channels with the infected files provides an advantage by circumventing security measures and limitations imposed by various community chats, enabling the accounts to bypass bans activated by automated moderation.
Other than exploiting the trust users place in lawful services to boost infection rates, the strategy also involves circulating the malicious files in localized Telegram chats by pretending they are giveaways and promotions offering appealing rewards and exclusive service access.
“The tailored messages and localized promotional tactics proved to be highly effective in regional community chats,” stated the researchers. “By customizing their approach according to the interests and requirements of the local populace, Ajina managed to significantly raise the chances of successful infections.”
The malicious actors have also been seen flooding Telegram channels with multiple messages using numerous accounts, sometimes concurrently, indicating a coordinated endeavor that likely involves some automated distribution mechanism.
The malware itself is relatively simple in that upon installation, it links with a remote server and prompts the victim to allow access to SMS messages, phone number APIs, and present cellular network data, among other things.
Ajina.Banker can obtain SIM card specifics, a list of installed finance apps, and SMS messages, which are then sent to the server.
New versions of the malware are also programmed to display phishing pages to try and capture banking details. Additionally, they have the ability to access call records and contacts, as well as exploit Android’s accessibility services API to thwart uninstallations and acquire additional permissions.
“The hiring of Java programmers, creating Telegram bots with promises of making money, also shows that the tool is actively being developed and has the support of a network of affiliated employees,” informed the researchers.
“Evaluation of the file names, distribution methods of samples, and other actions by the attackers indicate a familiarity with the region in which they are operating.”
This revelation comes as Zimperium identified connections between two Android malware lineages known as SpyNote and Gigabud (which is part of the GoldFactory family that involves GoldDigger).
“Domains with very similar structures (using the same unique keywords as subdomains) and targets used to distribute Gigabud and were also employed to disseminate SpyNote samples,” as mentioned by the company, indicated. “This overlap in distribution indicates that the same threat actor is likely behind both malware strains, suggesting a well-organized and widespread campaign.”
About Author
