New Android malware targets bank customers in Central Asia

A new Android malware is being used to steal information from bank customers in Central Asia, researchers have found.

First spotted in May by Singapore-based cyber firm Group-IB, the Ajina Banker malware is delivered through malicious files disguised as legitimate financial applications, government service portals, or everyday utility tools. These files have been spread via the messaging app Telegram since at least last November, and the campaign is still ongoing.

In a report released on Thursday, researchers said they had found nearly 1,400 unique samples of Ajina Banker malware. The threat actor behind it, who wasn’t identified, works with a network of affiliates targeting ordinary users for financial gain.

Although the malware wasn’t attributed to a specific hacker group, the file names, distribution methods, and other activities of the attackers suggest “a cultural familiarity with the region in which they operate,” Group-IB said.

The countries targeted by Ajina Banker include Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan. Most of the malware samples were specifically designed to target users in Uzbekistan.

The evolution of the malware has caused attacks to expand beyond the originally targeted region, affecting victims in Russia, Ukraine, Pakistan, and even Iceland.

Many users continue to fall victim to Ajina Banker, according to the report. For example, in May attempted infections surpassed 100 per day.

To distribute the malware, the threat actor created numerous Telegram accounts and spread the tool in local chats. Researchers said the distribution process may have been partially automated.

To trick victims into installing malicious files, the hackers crafted convincing messages, such as ones promising rewards, special offers, or exclusive access to sought-after services.

“By tailoring their approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections,” researchers said.

To circumvent security measures on Telegram, which could ban suspicious accounts sending files to group chats, the hackers directed users to external channels controlled by them.

Researchers noted that the adversaries established multiple Telegram accounts designed to blend in with regular users and evade detection for as long as possible. This ability to maintain and operate numerous accounts simultaneously while consistently delivering tailored messages “indicates a high level of planning and coordination.”

Once installed on a victim’s device, Ajina Banker can collect sent and received SMS, information about the SIM card, and a list of installed financial applications.

Since its introduction, Ajina Banker has continually improved, demonstrating heightened sophistication. 

“Social engineering techniques and the scale of the attack were increasingly leveraged to enhance the campaign’s efficiency,” researchers said.