New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram

Bank clients in the Central Asia area have been targeted by a new strain of Android malware called Ajina.Banker since at least November 2023 with the purpose of gathering financial information and intercepting two-factor authentication (2FA) communications.

Singapore-headquartered Group-IB, which detected the threat in May 2024, claimed the virus is disseminated via a network of Telegram channels put up by the threat actors under the pretense of genuine apps connected to banking, payment systems, and government services, or common utilities.

"The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users," security experts Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov stated.

Targets of the continuing effort include nations such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.

There is evidence to indicate that certain portions of the Telegram-based malware dissemination process may have been automated for enhanced efficiency. The multiple Telegram accounts are aimed to send prepared messages with links -- either to other Telegram channels or other sources -- and APK downloads to unknowing recipients.

The usage of links referring to Telegram channels that contain the malicious files has an extra advantage in that it overcomes security precautions and limits imposed by many community conversations, so enabling the accounts to dodge banning when automated moderation is activated.

Besides leveraging the confidence users invest in genuine services to enhance infection rates, the modus operandi also entails spreading the infected files in local Telegram conversations by passing them off as giveaways and promotions that promise to provide cash prizes and exclusive access to services.

"The use of themed messages and localized promotion strategies proved to be particularly effective in regional community chats," the researchers concluded. "By tailoring their approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections."

The threat actors have also been detected spamming Telegram channels with various messages using several identities, at times concurrently, suggesting a coordinated operation that presumably leverages some type of an automated distribution mechanism.

The virus in essence is very easy in that, once installed, it makes communication with a remote server and demands the victim to allow it permission to access SMS messages, phone number APIs, and current cellular network information, among others.

Ajina.Banker is capable of capturing SIM card information, a list of installed financial applications, and SMS communications, which are subsequently exfiltrated to the server.

New versions of the virus are also developed to provide phishing websites in an effort to steal financial information. Furthermore, they may access call records and contacts, as well as misuse Android's accessibility services API to block uninstallation and give themselves further rights.

Google informed The Hacker News that it did not uncover any indication of the virus being disseminated via the Google Play Store and that Android users are safeguarded against the danger by Google Play Protect, which is activated by default on Android devices with Google Play Services.

"The hiring of Java coders, created Telegram bot with the proposal of earning some money, also indicates that the tool is in the process of active development and has support of a network of affiliated employees," the researchers added.

"Analysis of the file names, sample distribution methods, and other activities of the attackers suggests a cultural familiarity with the region in which they operate."

The revelation comes as Zimperium identified linkages between two Android malware families tracked as SpyNote and Gigabud (which is part of the GoldFactory family that also contains GoldDigger).

"Domains with really similar structure (using the same unusual keywords as subdomains) and targets used to spread Gigabud samples and were also used to distribute SpyNote samples," the firm stated. "This overlap in distribution shows that the same threat actor is likely behind both malware families, pointing to a well-coordinated and broad campaign."