Bank customers in the Central Asia region have been targeted by a new strain of Android malware known as Ajina.Banker since at least November 2024 with the aim of collecting financial information and intercepting two-factor authentication (2FA) messages.
Group-IB, a company based in Singapore, discovered the threat in May 2024 and stated that the malware is spread through a network of Telegram channels created by cybercriminals posing as legitimate applications related to finance, payments, government services, or daily utilities.
“The attackers have partners who are driven by financial motives and are distributing Android banker malware that targets regular users,” explained security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov in a report.
Countries like Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan are among the targets of this ongoing campaign.
Evidence suggests that some aspects of the distribution process of this malware via Telegram may have been automated for better efficiency. Numerous Telegram accounts send crafted messages with links to other channels or external sources, as well as APK files, to unsuspecting victims.
By using links to Telegram channels hosting malicious files, the attackers can bypass security measures in community chats, allowing them to avoid bans triggered by automatic moderation.
Besides exploiting the trust users have in legitimate services to increase infection rates, the attackers also share the malicious files in local Telegram chats disguised as giveaways and promotions promising rewards and exclusive services.
“The use of localized promotions and themed messages has proved highly effective in regional community chats,” the researchers noted. “Tailoring the approach to the interests of the local population has significantly increased the success rate of infections.”
Furthermore, the threat actors flood Telegram channels with multiple messages using multiple accounts simultaneously, hinting at a coordinated effort that likely involves an automated distribution tool.
The malware connects to a remote server upon installation, requesting permission to access SMS messages, phone number APIs, and network information. It can gather SIM card data, installed financial apps, and SMS messages, which are then sent to the server.
New versions of the malware also create phishing pages to collect banking information, access call logs and contacts, and utilize Android’s accessibility services API to prevent removal and gain additional privileges.
“The hiring of Java coders and the creation of a Telegram bot to promote money-making opportunities indicate that this tool is actively being developed and supported by a network of affiliated employees,” the researchers stated.
“Analyzing file names, distribution methods, and other activities of the attackers reveals a cultural understanding of the region where they operate.”
Reports also uncovered connections between two Android malware families—SpyNote and Gigabud (part of the GoldFactory family that includes GoldDigger).
“Domains with similar structures and targets were used to distribute Gigabud and SpyNote samples, indicating that the same threat actor is likely behind both, pointing to a well-coordinated and extensive campaign,” as stated by the company Zimperium.