There has been a new Ajina strain of Android malware since at least November 2024.In an attempt to obtain financial data and intercept two-factor authentication (2FA) messages, bankers have been focusing on bank clients in Central Asia.
Group-IB, a Singaporean company, identified this threat in May 2024 and found that the malware expands via an attacker-created network of Telegram channels. These channels pose as legitimate apps for payment processors, banks, government agencies, or common utilities.
Security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov claimed that “affiliates motivated by financial gain are spreading Android banking malware that targets regular users.”
Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan are among the nations that the campaign particularly targets.
Data points to the possibility that the malware’s Telegram spreading may include some automated components for efficiency. Many Telegram accounts are used to transmit malicious messages to unsuspecting users, including APK files and connections to other Telegram channels or other websites.
Using Telegram channels to host malicious files helps bypass security measures and restrictions in many community chats, allowing these accounts to evade bans triggered by automatic moderation.
The attackers exploit the trust users place in legitimate services to boost infection rates. Their tactics include sharing malicious files in local Telegram chats, disguising them as giveaways or promotions that offer rewards and exclusive services.
“The use of themed messages and localized promotion strategies has proven highly effective in regional community chats,” the researchers noted. “By customizing their approach to the interests and needs of the local population, Ajina has significantly increased the likelihood of successful infections.”
Additionally, the threat actors have been observed bombarding Telegram channels with numerous messages from multiple accounts, often simultaneously, suggesting a coordinated effort that likely involves some automated distribution tool.
The malware itself is relatively simple; once installed, it connects to a remote server and requests permissions to access SMS messages, phone number APIs, and current cellular network information.
Ajina.Banker can collect SIM card data, a list of installed financial apps, and SMS messages, which it then sends to the server. Newer versions of the malware are designed to display phishing pages to collect banking information. They can also access call logs and contacts and misuse Android’s accessibility services API to prevent uninstallation and grant additional permissions.
“The recruitment of Java developers, creating Telegram bots offering financial incentives, also indicates that the tool is actively being developed and supported by a network of affiliates,” the researchers added.
“An analysis of the file names, distribution methods, and other attacker activities suggests familiarity with the culture of the region in which they operate.”
This disclosure coincides with Zimperium’s findings linking two Android malware families, SpyNote and Gigabud (part of the GoldFactory family, which also includes GoldDigger).
“Domains with similar structures, using the same unusual keywords as subdomains, were used to distribute both Gigabud and SpyNote samples,” the company noted. “This overlap indicates that the same threat actor is likely behind both malware families, suggesting a well-coordinated and expansive campaign.”
