Researchers at Singapore-based Group-IB report the discovery of a new Android malware called Ajina.Banker, which is capable of stealing financial data while bypassing 2FA via Telegram.
Group-IB identified the threat in May 2024 by tracking distribution channels in Telegram under the guise of legitimate applications for banks, payment systems, public services, or utilities.
The banking sector clientele in the Central Asian region has been mainly affected, at least since November 2023.
In general, the current campaign is aimed at countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine and Uzbekistan.
The attacker operates through a network of operators with financial gain, who implement the distribution of Android banking malware targeting ordinary users.
At the same time, according to the researchers, some elements of the malware distribution process in Telegram could be automated to increase its efficiency.
Numerous Telegram accounts were used to deliver messages with links either to other Telegram channels or to external sources and APKs through mass mailings.
In addition to abusing users' trust in legitimate services in order to maximize infection rates, the campaign also used Telegram chats, where malicious files were presented as giveaways and promotions with prizes and exclusive access to services.
The use of thematic messages and localized promotion strategies has proven to be a particularly effective contagion channel in regional chat rooms by adapting to the interests and needs of the local population.
The malware itself is quite simple, once downloaded, it establishes a connection with C2 and asks the victim for permission to access SMS, phone API and current information over the cellular network, etc.
Ajina.Banker is capable of collecting information about the SIM card, installed financial applications and SMS, which are then transmitted to the server.
The new versions of the malware are also designed to support phishing pages to collect banking information.
In addition, the ability to access call logs and contacts, as well as abuse of the Android Accessibility Services API, has been implemented to prevent deletion and implement additional permissions.
In turn, Google said that it had not found any evidence of the spread of malware through the Google Play Store, and protection against the threat was provided with the help of Google Play Protect.
According to Group-IB, Ajina.Banker is in the process of active development and has significant support from the network of affiliates.
Source
Group-IB identified the threat in May 2024 by tracking distribution channels in Telegram under the guise of legitimate applications for banks, payment systems, public services, or utilities.
The banking sector clientele in the Central Asian region has been mainly affected, at least since November 2023.
In general, the current campaign is aimed at countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine and Uzbekistan.
The attacker operates through a network of operators with financial gain, who implement the distribution of Android banking malware targeting ordinary users.
At the same time, according to the researchers, some elements of the malware distribution process in Telegram could be automated to increase its efficiency.
Numerous Telegram accounts were used to deliver messages with links either to other Telegram channels or to external sources and APKs through mass mailings.
In addition to abusing users' trust in legitimate services in order to maximize infection rates, the campaign also used Telegram chats, where malicious files were presented as giveaways and promotions with prizes and exclusive access to services.
The use of thematic messages and localized promotion strategies has proven to be a particularly effective contagion channel in regional chat rooms by adapting to the interests and needs of the local population.
The malware itself is quite simple, once downloaded, it establishes a connection with C2 and asks the victim for permission to access SMS, phone API and current information over the cellular network, etc.
Ajina.Banker is capable of collecting information about the SIM card, installed financial applications and SMS, which are then transmitted to the server.
The new versions of the malware are also designed to support phishing pages to collect banking information.
In addition, the ability to access call logs and contacts, as well as abuse of the Android Accessibility Services API, has been implemented to prevent deletion and implement additional permissions.
In turn, Google said that it had not found any evidence of the spread of malware through the Google Play Store, and protection against the threat was provided with the help of Google Play Protect.
According to Group-IB, Ajina.Banker is in the process of active development and has significant support from the network of affiliates.
Source
