Cybercrime , Endpoint Security , Fraud Management & Cybercrime
Android Trojans Still Pose a Threat, Researchers Warn
Ajina Malware Intercepts SMS Codes, Targets Banks and Payment Platform DetailsAndroid malware first seen in the wild in late 2023 has been targeting users' bank and online payment accounts, bolstered by its ability to steal one-time access codes sent via SMS.
See Also: OnDemand I Stop Fraud from the Start: Detecting and Mitigating Risks during Onboarding
Cybersecurity firm Group-IB said the group behind the "widespread and damaging malware campaign," which it gave the codename Ajina, has successfully compromised a large number of end-user devices across Central Asia. Daily infections tied to the malware spiked in late 2023; and again in February, May and June; and to a lesser extent in August, suggesting it remains very active.
While Group-IB said it doesn't have a way to quantify the amount the group successfully stole from banks, the continuing distribution and development of its banking malware suggests at least a small measure of success, if not more.
Affected users appear to have been tricked into installing the malware, which doesn't appear to be getting distributed via official Google channels. "Based on our current detections, no apps containing this malware are found on Google Play," a Google spokesperson told Information Security Media Group.*
"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," the spokesperson said. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."*
Researchers said they first spotted the malware when it was uploaded to analysis site VirusTotal in May from Uzbekistan, in the form of a malicious app made to appear as if it was developed by a "local tax authority." By tracing the IP address to which the malware attempted to "phone home" the researchers found other .apk
- Android package - files that showed similar behavior, which they traced to attacks that began by November 2023.
Given that Uzbek connection, researchers named the group behind the malware Ajina, in reference to a mythical beast described by one mythology enthusiast as being a "goat-headed giant who lies in wait for naughty children in ash piles and empty houses."
Ajina initially used Telegram to try and distribute the Ajina.Banker malware APK file via phishing and social engineering attacks designed to lure victims into using it by tricking them into thinking they were accessing "legitimate banking, government or everyday utility applications," the researchers said.
Campaigns to date have targeted individuals in numerous countries, including Russia and Ukraine, as well as Armenia, Azerbaijan, Pakistan, Kazakhstan, Kyrgyzstan and Tajikistan, plus Iceland, they said.
Earlier this year, Armenia's national computer emergency response team, AM-CERT, issued its own alert about a variant of the malware, named Ardshihn-bank.apk
, which pretended to be a legitimate app distributed by Armenian commercial bank Ardshinbank.
"The malicious APK package is spreading via Telegram messages, where users are promised financial rewards for installing the application," AM-CERT said. "Upon infecting the device, the malware steals information about banking/payment-related apps, as well as SMS and USSD messages from the device. This enables the attackers to steal SMS messages received for second-factor authentication purposes and potentially take over users' accounts in other applications."
Other applications targeted by the malware included easywallet, HayPost Pay, MobiDram, Tellcell and other online payment systems, it said.
"By default, Android does not allow installing applications from sources other than Google Play - make sure to keep this setting on," AM-CERT said.
If a victim executes the malware, it requests specific Android privileges such as the ability to read phone numbers and receive and read SMS messages, Group-IB said. If a victim grants those permissions, the malware is designed to disable access to the system dialog they would need to revoke the permissions.
Group-IB said the 1,402 different samples of the malware it's recovered to date appear to contain hard-coded details referring to different group affiliates. "This leads us to conclude that it's based on an affiliate program, where the support for the initial project is led by a small group of people, and all the distribution and infection chains are made by affiliates working for the percentage," the researchers said, referring to the profit-sharing model many cybercrime affiliate programs employ.
News that a relatively new banking Trojan is actively targeting end users comes despite such malware arguably having its day in the 2010s, driven especially by the likes of the Windows-targeting Zeus banking Trojan, for which source code leaked in 2011, spawning countless imitators.
The rise of ransomware in the later 2010s, fueled by the introduction of the double-extortion shakedown model and leading to massive profits for practitioners, seems to have taken a bite out of many criminals' interest in banking Trojans.
The FBI said investment scams were in first place for losses due to online-enabled crime last year, followed by business email compromise and tech support scams. In 2023, nearly 300,000 victims reporting phishing attacks but only 659 filed reports tied to malware, though of course identifying that as attackers' threat vector might be difficult.
Regardless, banking Trojans appear to remain a viable threat, not least for Android users in Central Asia. "Banking Trojans are still highly active, with threat actors widely distributing modified Trojans based on publicly available source code," Group-IB said.
*Update Sept. 13, 2024 07:57 UTC: This story has been updated with a comment from Google.