The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Ajina Android Malware

Sep 23, 2024 2:03:45 PM / by The Hivemind

AJINAVerticals Targeted: Financial 

Executive Summary

Ajina is an Android banking malware that masquerades as legitimate Android apps in order to steal banking information and intercept 2FA.

Key Takeaways

  • Ajina is an Android banking malware that masquerades as legitimate Android apps in order to steal banking information and intercept 2FA.
  • The malware has been active since at least November 2023, with activity that has continued through 2024. 
  • Targets have included users in Uzbekistan, Armenia, Azerbaijan, Iceland, and Russia.
  • At present, around 1400 unique variants of Ajina have been identified.

What is Ajina?

Ajina Android malware was observed targeting users in Central Asia. The banking malware masquerades as legitimate Android apps in order to steal banking information and intercept 2FA. The malware has been active since at least November 2023, with activity that has continued through 2024. Targets have included users in Uzbekistan, Armenia, Azerbaijan, Iceland, and Russia. At present, around 1400 unique variants of Ajina have been identified. Group-IB reported on Ajina.

Ajina is named after a malicious mythical Uzbek spirit known for its shape shifting abilities and its propensity to create chaos. The name aptly describes this malware, which masquerades as legitimate apps, including banking apps, government portals, delivery apps, and commonly used utilities, to coerce victims into downloading the malicious file, which compromises their devices. It then wreaks havoc by stealing the victim’s banking information.

In addition to stealing a user’s banking information, Ajina is capable of gathering SIM card details and intercepting SMS messages. SMS intercept allows the malware to potentially capture 2FA codes needed to login to bank accounts. Ajina is also considered to be an adaptable malware. At least two distinct versions have been observed, with the newer version having additional functionality, including the ability to steal phone numbers, bank card information, and PIN codes.

Ajina is primarily spread via social engineering and is distributed via social messaging platforms including Telegram. The threat actors use multiple accounts to distribute malicious links and files. They pretend to promote an offer or reward program or to be affiliated with the local tax authorities. This tactic exploits the user’s tendency to react to messages that appear to be urgent or exciting. The threat actors are also known to send messages with a malicious file attached or a link that sends the user directly to a channel that hosts the malware, counting on the user’s curiosity to entice them to click the link.

Ajina is thought to operate on an affiliate model, with the managing threat actors maintaining the infrastructure and affiliates distributing the malware.

IOCs

PolySwarm has multiple samples of Ajina.

 

0e0d3f358dba238159dbcbd8bcc8e51e17384c5bb7613b3ccc80b03b5871b2a1

3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2

3370a9a0698351f2c8ea48ee9b38afdc2c345630e1b7467722a83a5429f3d8e4

4a899f80338b4c6d3e55b13cc34f661736fdd2bd4ea95ed5c7ac988495722398

5fe50b61b4f74bc7bd12604ead9d05339badc4995557ab3da4dda6e6f4ff2677

a143159d827221f11b01aea33066ea006115889abebba04eb2a34bd34e7cb0a1

d6189c83e99200c188212e1609bb15cd0459ebbcee021aa68e95b0a2cdbe64f5

d726710671dddb9c92cb36da9bf64e331a48f9eb42b0e33e7cba55e5e97792cb

ecf87036b4b884e1e83b5b4fbac589795a9a1639ac6db56bd01b422cf1254cc6

41fb6f483b95815b6e52cb724762206cd31f21d109d24e4aace4c6f3cac6a2e0

8259d59d17c470456dd62376905a11df2bc685befb4bb3e8c693c64cf9909b67

04e5830784f2756ef2cf6b725c06be7e3d80421f72015a3e42932813673979ab

9f7f7afc0947d2453758df3de61319c601c6eec1cba443c9c4ba599559d7517b

66e2b0201153d1c099898c28a426d2b84931f5f5be539c474fbae86f1338b935

a33aa6065e15b15c4d980b4b9d84d18725211426222709c3534f692d74a64b31

42b207c71b44f63d2ec0da6414edaf8dba23966b9a5dfbbddfecee18c734fb4f

0a917ae57c5074f1535728a3b3aa6fe09a8bdb4c159e7387e13470b589abc518

cb6cf5ffa406dbea2cf137e97a3fdd6c04ef42fe76e09bf2f4cc837fd57a5c69

f7fd4f673a70e950be9d4d0c3d77af00a0886942d8574845cb5292fdda82ddfd

ac2d90712d5a5f9d5b1271db97d614ad70d5474aa2453cb4e48ac7ed74065b3c

ca427e6b7962e4c012aa58da621f15e9897349849736d36e5858ebad91b34c8a

9509d5caddee0deda54a54d43d37054d3197ae4084986c544ea8073378ad79a7

c58998c7eec1f335cf83021cf7ac7c9888f75dca5cdf7a3b1ac29f214a7c91ae

57a30d514d904f79e6fc2084304bf156922ee84c40817886e7674267a6ae8768

df0704112a1c8640ccee4c20af6107daef6afb0498463a1af0072020e5a1494d

d22ea079fe325f0108287d150a4a102b3f5210b0eb8822993215be7988ede885

3847506bc433036c64247416d2d118d1546918a5d1a6dd9d4c4366d2cabd841a

b973276e98bcdd18be1cf3952dcd0871d76cb592abe0fc86e9a493bf40c2f413

7002fa15e88ba762b89f1e25e2a5d973219b093f4fbb63ebbe2b53b4fdc6e9cb

d504a448e15bd537f73142996f5caffe953b28e1e57a10d3324887e29bbb4225

676b3eea2db66e16ba826455eacea613483ab2a4dc28c8d772d33fb5dbcd65c2

d71a7fd52389d30837ce7c46b7c32da137746558148f43327582027f87ef0a6e

450407a3c06be1bf80a221f1269c4946f838f4a022f85e1e5b2b4025f56933c7

483f48c5ca0de2d72c6c81389516431a53a56da32cc90a8193fc48cd62c5fb74

7347a47abc41d077eed32b12ee44f273ac7770eb58a85885fb90a73c5f63de5d

5e36ff5c6017f5c5ab52550543a74b373081089b44166ca982f63435628ec254

b3c23584afa643afed7d4ba074097807470032160bc32433a06ecc4a7fbd40cb

5272885e703c5029fb3b63a97d07ea3cfdf25873e9c258e3b4e0f9822b77ebda

efc8e4dfe0080a62fcec965fbb70122a8aa6bc2db167219a00ac326dc53fde0c

34f27ea17a302b45b64db6ce03b9d284c5b5b812b7901a4081d4e6e2a24cac2c

aed0c977175c0704b9934a3d80a04120593d71777c2e838b1c47fe7bafcd92f6

ba5a2e2f4397cd8d420fb8a6213747a8fe56476b1f3eab95571e58864a04c09b

c70677f01ef8f6ccc6d45fcd305aa7bd884a4463f4459b4be76a800816a844c3

5a1fa077eb45ff6f5829d93a0fc4e80f386260fee477deab00a6507528b2f574

2c5c4f0d153b16ded48825c02656850adfa03a62c42c605e066c23f20b4e0ffb

0fa0ff1b0f9166080558b63119eb2cd4b0c68e86c43530e8aaeb8e9befc34b91

f074b0bdcd56eeb9a758c882f016c5cc6abeb2817e1c61620f9deb30abb23624

c77e81e4815dcb97c499f872eda849964af2c6b56273de5da6bfe8a19224a560

2ef63d8aba6a02832e5d4bf966e6b6326a181bf332f3423feb5e3e581d37a9cb

d4e124d8388d17b36d18005b3a9f6520a46a94cfd04cac504d4877e8a392def7

12a8195a89a49f105a9f972acaf51748f7b79c36db767c514c655dd9208d9c26

 

You can use the following CLI command to search for all Ajina samples in our portal:

$ polyswarm link list -f Ajina

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.



Topics: Threat Bulletin, Android, Banker, Ajina

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts