Ajina.Banker: New Android Malware Targeting Central Asian Bank Customers and Bypassing 2FA via Telegram

A new strain of Android malware, codenamed Ajina.Banker, has been targeting bank customers across the Central Asia region since November 2023. Discovered by Group-IB, Ajina.Banker is specifically designed to steal financial data and intercept two-factor authentication (2FA) messages, giving attackers full access to victims’ banking accounts.

  • Propagation via Telegram: Ajina.Banker is spread through a network of Telegram channels posing as legitimate apps related to banking, payment systems, government services, and everyday utilities. Threat actors use localized messages and promotions to make the malware more appealing and trustworthy to potential victims.
  • Countries Affected: Targets include users in Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. This regional targeting strategy exploits local trust in community channels and chats on Telegram.
  • Automated Distribution: Evidence suggests that some aspects of Ajina.Banker’s distribution process may be automated, allowing it to evade Telegram’s moderation tools. Malicious APK files are shared in these channels, tricking users into downloading malware.
  • Stealing Financial Data: Once installed, Ajina.Banker requests permission to access SMS messages, cellular network information, and SIM card details, allowing it to steal financial information. The malware also gathers data from installed financial apps and sends it to a remote command-and-control (C2) server.
  • Phishing Pages and Accessibility Abuse: Newer versions of the malware deliver phishing pages to collect sensitive banking credentials. Additionally, Ajina.Banker abuses Android’s accessibility services API to prevent uninstallation and gain elevated permissions, making it difficult for victims to remove the threat.
  • Bypassing 2FA: By intercepting SMS messages, Ajina.Banker can bypass two-factor authentication (2FA), a common security measure used to protect online banking accounts.
  • Development in Progress: Ajina.Banker appears to be actively under development, as researchers have identified that the attackers are hiring Java coders and building tools to automate the malware’s spread and management.

To safeguard against Ajina.Banker and similar threats, Net Protector Cyber Security recommends the following steps:

  1. Install NPAV Mobile Security to protect Android devices from malware threats and phishing attacks.
  2. Avoid downloading apps from unofficial sources like Telegram or untrusted websites. Stick to Google Play Store.
  3. Enable Google Play Protect to automatically scan your device for harmful apps.
  4. Use a strong multi-factor authentication method that doesn’t rely solely on SMS-based 2FA.

Net Protector Cyber Security continues to monitor the evolving threat landscape to ensure our customers are protected from advanced mobile threats like Ajina.Banker.