Financial institution prospects within the Central Asia area have been focused by a brand new pressure of Android malware codenamed Ajina.Banker since at the very least November 2024 with the aim of harvesting monetary data and intercepting two-factor authentication (2FA) messages.
Singapore-headquartered Group-IB, which found the menace in Might 2024, mentioned the malware is propagated through a community of Telegram channels arrange by the menace actors below the guise of legit purposes associated to banking, fee methods, and authorities providers, or on a regular basis utilities.
“The attacker has a community of associates motivated by monetary acquire, spreading Android banker malware that targets atypical customers,” safety researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov mentioned.
Targets of the continuing marketing campaign embody nations resembling Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.
There may be proof to counsel that some facets of the Telegram-based malware distribution course of could have been automated for improved effectivity. The quite a few Telegram accounts are designed to serve crafted messages containing hyperlinks — both to different Telegram channels or exterior sources — and APK recordsdata to unwitting targets.
The usage of hyperlinks pointing to Telegram channels that host the malicious recordsdata has an additional advantage in that it bypasses safety measures and restrictions imposed by many group chats, thereby permitting the accounts to evade bans when automated moderation is triggered.
Apart from abusing the belief customers place in legit providers to maximise an infection charges, the modus operandi additionally includes sharing the malicious recordsdata in native Telegram chats by passing them off as giveaways and promotions that declare to supply profitable rewards and unique entry to providers.
“The usage of themed messages and localized promotion methods proved to be significantly efficient in regional group chats,” the researchers mentioned. “By tailoring their strategy to the pursuits and wishes of the native inhabitants, Ajina was capable of considerably enhance the chance of profitable infections.”
The menace actors have additionally been noticed bombarding Telegram channels with a number of messages utilizing a number of accounts, at instances concurrently, indicating a coordinated effort that probably employs some kind of an automatic distribution software.
The malware in itself is pretty easy in that, as soon as put in, it establishes contact with a distant server and requests the sufferer to grant it permission to entry SMS messages, cellphone quantity APIs, and present mobile community data, amongst others.
Ajina.Banker is able to gathering SIM card data, a listing of put in monetary apps, and SMS messages, that are then exfiltrated to the server.
New variations of the malware are additionally engineered to serve phishing pages in an try to gather banking data. Moreover, they will entry name logs and contacts, in addition to abuse Android’s accessibility providers API to stop uninstallation and grant themselves extra permissions.
“The hiring of Java coders, created Telegram bot with the proposal of incomes some cash, additionally signifies that the software is within the means of energetic growth and has assist of a community of affiliated staff,” the researchers mentioned.
“Evaluation of the file names, pattern distribution strategies, and different actions of the attackers suggests a cultural familiarity with the area during which they function.”
The disclosure comes as Zimperium uncovered hyperlinks between two Android malware households tracked as SpyNote and Gigabud (which is a part of the GoldFactory household that additionally contains GoldDigger).
“Domains with actually comparable construction (utilizing the identical uncommon key phrases as subdomains) and targets used to unfold Gigabud samples and have been additionally used to distribute SpyNote samples,” the corporate mentioned. “This overlap in distribution reveals that the identical menace actor is probably going behind each malware households, pointing to a well-coordinated and broad marketing campaign.”