Financial institution prospects within the Central Asia area have been focused by a brand new pressure of Android malware codenamed Ajina.Banker since a minimum of November 2024 with the purpose of harvesting monetary info and intercepting two-factor authentication (2FA) messages.
Singapore-headquartered Group-IB, which found the risk in Could 2024, stated the malware is propagated through a community of Telegram channels arrange by the risk actors underneath the guise of reputable purposes associated to banking, fee techniques, and authorities companies, or on a regular basis utilities.
“The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users,” safety researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov stated.
Targets of the continuing marketing campaign embody nations akin to Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.
There may be proof to recommend that some features of the Telegram-based malware distribution course of might have been automated for improved effectivity. The quite a few Telegram accounts are designed to serve crafted messages containing hyperlinks — both to different Telegram channels or exterior sources — and APK information to unwitting targets.
Using hyperlinks pointing to Telegram channels that host the malicious information has an additional benefit in that it bypasses safety measures and restrictions imposed by many neighborhood chats, thereby permitting the accounts to evade bans when computerized moderation is triggered.
In addition to abusing the belief customers place in reputable companies to maximise an infection charges, the modus operandi additionally entails sharing the malicious information in native Telegram chats by passing them off as giveaways and promotions that declare to supply profitable rewards and unique entry to companies.
“The use of themed messages and localized promotion strategies proved to be particularly effective in regional community chats,” the researchers stated. “By tailoring their approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections.”
The risk actors have additionally been noticed bombarding Telegram channels with a number of messages utilizing a number of accounts, at instances concurrently, indicating a coordinated effort that possible employs some kind of an automatic distribution device.
The malware in itself is pretty easy in that, as soon as put in, it establishes contact with a distant server and requests the sufferer to grant it permission to entry SMS messages, telephone quantity APIs, and present mobile community info, amongst others.
Ajina.Banker is able to gathering SIM card info, an inventory of put in monetary apps, and SMS messages, that are then exfiltrated to the server.
New variations of the malware are additionally engineered to serve phishing pages in an try to gather banking info. Moreover, they will entry name logs and contacts, in addition to abuse Android’s accessibility companies API to stop uninstallation and grant themselves further permissions.
“The hiring of Java coders, created Telegram bot with the proposal of earning some money, also indicates that the tool is in the process of active development and has support of a network of affiliated employees,” the researchers stated.
“Analysis of the file names, sample distribution methods, and other activities of the attackers suggests a cultural familiarity with the region in which they operate.”
The disclosure comes as Zimperium uncovered hyperlinks between two Android malware households tracked as SpyNote and Gigabud (which is a part of the GoldFactory household that additionally consists of GoldDigger).
“Domains with really similar structure (using the same unusual keywords as subdomains) and targets used to spread Gigabud samples and were also used to distribute SpyNote samples,” the corporate stated. “This overlap in distribution shows that the same threat actor is likely behind both malware families, pointing to a well-coordinated and broad campaign.”
