Ajina.Banker (Infostealer) – Malware

Overview

In May 2024, a significant cybersecurity threat was uncovered by Group-IB, a leading cybersecurity firm, targeting bank customers in Central Asia. This threat, identified as Ajina.Banker, is a sophisticated Android malware campaign designed to steal sensitive banking information and intercept Two-Factor Authentication (2FA) messages. Ajina.Banker is distributed through malicious .APK files, often masquerading as legitimate applications related to banking, payments, deliveries, and other everyday services. The malware, which first appeared in the region in late 2023, has rapidly gained traction across Central Asia and beyond, affecting thousands of Android users. The name “Ajina” is derived from a mythical spirit in Uzbek folklore, known for its deceptive and harmful nature. Just as the spirit is said to mislead and harm individuals, the Ajina.Banker malware operates by disguising itself as trusted, benign apps, tricking users into downloading and installing it. Once executed on the device, the malware steals personal and financial data, and can intercept 2FA codes, making it particularly dangerous for users engaged in mobile banking or financial transactions. This type of attack represents a growing trend in the cyber threat landscape, where attackers target individuals’ most sensitive data by leveraging mobile apps, which are increasingly relied upon for financial services.

Targets

Individuals

How they operate

Infection Chain and Initial Access

Ajina.Banker malware typically spreads via malicious Android package files (APKs) disguised as legitimate applications. These apps are often found on informal platforms such as Telegram channels, which are commonly used to distribute pirated or unauthorized software in the region. Upon installation, the malware requests numerous permissions, including access to sensitive system components and applications. These permissions are typically granted by unsuspecting users who believe they are installing legitimate apps, such as banking, payment, or delivery services. The malware’s initial access is largely dependent on social engineering tactics. The attackers take advantage of users’ trust in what appear to be legitimate apps, making it harder for them to distinguish between malicious and trusted software. Once the app is installed, Ajina.Banker begins its malicious behavior by setting up communication with its command-and-control (C2) server. This enables it to receive commands, upload stolen data, and download additional payloads.

Execution and Data Collection

Once activated, the malware begins executing its core functionality. Ajina.Banker’s primary purpose is to steal banking credentials and sensitive financial data. The malware is capable of harvesting data from a wide variety of sources, including banking apps, online payment apps, and even social media platforms that may store sensitive personal information. Ajina.Banker uses techniques such as keylogging, form grabbing, and screen capturing to intercept sensitive data as users interact with their devices. The malware may also initiate fake login screens to capture user credentials when they attempt to access banking or payment applications. Ajina.Banker is particularly dangerous because it can also intercept two-factor authentication (2FA) codes that are often sent via SMS or other messaging systems. This allows attackers to bypass an additional layer of security and gain full access to users’ banking accounts or financial services. The malware’s ability to interact with 2FA mechanisms significantly increases the success rate of its attacks and makes it an attractive tool for cybercriminals targeting the financial sector.

Persistence and Privilege Escalation

To maintain control over infected devices, Ajina.Banker employs several persistence techniques. After installation, the malware ensures that it remains active even if the device is rebooted. It may add itself to the Android system’s startup processes or abuse legitimate system services to ensure that it automatically launches upon boot. Additionally, Ajina.Banker can exploit root access or request additional system privileges from the user, escalating its permissions to gain deeper control over the device. Once it has secured persistence on the infected device, Ajina.Banker can continue its malicious operations undetected, ensuring that the attackers can maintain a continuous stream of stolen data. The malware can also adjust its behavior depending on the permissions it has acquired, expanding its capabilities and making it harder to remove.

Exfiltration and Command-and-Control Communication

Ajina.Banker communicates with remote command-and-control servers to exfiltrate stolen data and receive further instructions. The malware uses encrypted communication channels to obfuscate the data being sent and ensure that its activities remain hidden from network security tools. Stolen banking credentials, payment information, and 2FA codes are transmitted back to the attacker’s C2 infrastructure, where they can be used for financial fraud or sold on underground markets. The malware’s ability to remain undetected while performing these activities is one of its most dangerous features. It avoids triggering security alerts by using standard Android communication protocols, which makes it difficult for traditional antivirus solutions to detect its presence.

Evolution and Spread

Since its discovery, Ajina.Banker has evolved in both sophistication and scale. Initially targeting users in Central Asia, the malware has begun to expand beyond its original region, affecting victims in other parts of the world. This evolution reflects the attackers’ ability to adapt to security measures, change tactics, and refine their distribution techniques. The malware’s modular structure allows it to be easily updated and modified, enabling the threat actors to incorporate new features or exploit newly discovered vulnerabilities in Android systems. Furthermore, the network of affiliates spreading the malware has been growing, with different groups taking part in distributing the malicious APKs. This indicates a highly organized operation with financial incentives driving the spread of the malware across various digital platforms.

Conclusion

Ajina.Banker malware represents a significant threat to users in Central Asia and potentially beyond, due to its ability to bypass common security measures and steal sensitive financial information. Its infection chain, persistence mechanisms, and sophisticated data exfiltration techniques demonstrate the malware’s advanced capabilities. As cybercriminals continue to adapt and refine their tactics, it is essential for users and organizations to remain vigilant against such threats. Using reliable security solutions, exercising caution when installing apps, and being wary of suspicious communications are critical steps in defending against Ajina.Banker and similar Android banking trojans.

MITRE Tactics and Techniques

Initial Access (T1071)

Ajina.Banker malware typically gains initial access through the distribution of malicious .APK files masquerading as legitimate applications. These files are often shared through Telegram channels and other informal messaging platforms.

Execution (T1203)

The malware executes when the user installs the malicious APK. It leverages techniques that require user interaction, including permissions granting and app installation, to initiate the malicious payload on the device.

Persistence (T1547)

Ajina.Banker achieves persistence by embedding itself within the system after installation. It uses techniques to ensure that it continues running even after the device is restarted, and can use system permissions to maintain access to the device.

Privilege Escalation (T1548)

The malware might attempt to escalate its privileges by requesting additional permissions from the user or exploiting system vulnerabilities to obtain root access, enabling it to gain deeper control over the infected device.

Credential Dumping (T1003)

Once installed, the malware seeks to steal sensitive banking information, including credentials. It may use keylogging or other data collection techniques to harvest login credentials and financial data from the infected device.

Credential Access (T1071.001)

Ajina.Banker is specifically designed to target financial data. As part of its credential access, it also seeks to intercept Two-Factor Authentication (2FA) messages, which are commonly used to secure online banking transactions, making the malware especially dangerous.

Exfiltration (T1041)

The collected data, including sensitive banking information and intercepted 2FA codes, is exfiltrated to remote command-and-control (C2) servers controlled by the attackers. This information is typically sent to IP addresses identified in the malware’s network communications.

Command and Control (T1071)

Ajina.Banker communicates with remote C2 servers to receive instructions and send stolen data back to the threat actors. This communication is typically initiated by the malware through hardcoded server addresses or dynamically retrieved C2 information.

Impact (T1486)

The final goal of the malware is to monetize the stolen financial data, which may be used for identity theft, unauthorized transactions, or sold on underground marketplaces. The attackers profit directly from the theft of sensitive financial information.  

References

• Ajina attacks Central Asia: Story of an Uzbek Android Pandemic