Bank customers in the Central Asian region have been targeted by a new strain of code-named Android malware My class from at least November 2024 for the purpose of collecting financial information and intercepting two-factor authentication (2FA) messages.
Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware was being distributed through a network of Telegram channels created by threat actors masquerading as legitimate applications related to banking, payment systems and government services. or daily utilities.
“The attacker has a network of affiliates motivated by financial gain that distributes the Android Banker malware targeting ordinary users,” security researchers Boris Martyniuk, Pavel Naumov and Anvar Anarkulov said.
The current campaign targets countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine and Uzbekistan.
There is evidence to suggest that some aspects of the Telegram-based malware distribution process could have been automated to improve efficiency. Many Telegram accounts are designed to serve up crafted messages that contain links – either to other Telegram channels or to external sources – and APK files to unwitting targets.
Using links that point to Telegram channels hosting malicious files has the added benefit of bypassing security measures and restrictions imposed by many community chats, allowing accounts to avoid bans when automatic moderation is triggered.
In addition to abusing users’ trust in legitimate services to maximize infection rates, the modus operandi also involves sharing malicious files in local Telegram chats, passing them off as giveaways and promotions that claim to offer lucrative rewards and exclusive access to services.
“Using themed posts and localized promotion strategies proved particularly effective in regional community chats,” the researchers note. “By adapting her approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections.”
Threat actors have also been seen to bombard Telegram channels with multiple messages using multiple accounts, sometimes simultaneously, indicating a coordinated effort likely using some sort of automated distribution tool.
The malware itself is quite simple, as once installed it contacts a remote server and asks the victim to grant it permission to access SMS messages, phone number APIs, and information about the current cellular network, among other things.
Ajina.Banker is able to collect information about the SIM card, a list of installed financial programs and SMS messages, which are then transmitted to the server.
Newer versions of the malware are also designed to serve up phishing pages in an attempt to collect banking information. Additionally, they can access call logs and contacts, and abuse the Android Accessibility Services API to prevent deletion and grant themselves additional permissions.
“The hiring of Java coders created by the Telegram bot with an offer to earn money also indicates that the tool is in the process of active development and has the support of a network of affiliated employees,” the researchers note.
“Analysis of file names, sample distribution methods, and other activities of attackers indicates cultural familiarity with the region in which they operate.”
The disclosure comes after Zimperium discovered links between two families of Android malware tracked as SpyNote and Gigabud (which is part of the GoldFactory family, which also includes GoldDigger).
“Domains with exactly the same structure (using the same unusual keywords as subdomains) and targets used to distribute the Gigabud samples were also used to distribute the SpyNote samples,” the company said in a statement. said. “This coincidence in distribution shows that the same person is likely behind both malware families, indicating a well-coordinated and widespread campaign.”
