Since November 2023, a new Android malware called Ajina.Banker has been targeting bank customers across Central Asia, focusing on stealing financial information and intercepting two-factor authentication (2FA) messages.
According to researchers, the malware is distributed via Telegram channels, disguised as legitimate apps related to banking, payment services, and even government utilities. The attackers rely on a network of affiliates, incentivized by financial gain, to spread the malware to unsuspecting users.
The campaign has impacted multiple countries, including Armenia, Azerbaijan, Kazakhstan, Kyrgyzstan, Pakistan, Russia, and others.
Researchers suspect the distribution process may involve automation, as the malware is spread through Telegram links and APK files, bypassing the security measures of community chat channels. These links lead to further malicious Telegram channels or external sources, allowing the malware to avoid detection and bans.
To lure in more victims, the attackers present the malware as giveaways or promotions in local Telegram chats, making the files seem like exclusive offers or rewards. The tailored approach—localized messages and region-specific promotion strategies—has proven effective in tricking users, significantly increasing infection rates.
The coordinated distribution also shows signs of automation, with attackers using multiple accounts to simultaneously spam messages across channels.
Once installed, Ajina.Banker connects to a remote server and requests access to sensitive information like SMS messages, SIM card details, and installed financial apps. It collects this data and sends it to the server for exploitation.
The malware’s newer versions are even more dangerous, serving phishing pages to capture banking information, accessing call logs, and misusing Android’s accessibility services to block uninstallation and gain additional permissions.
Although Google confirmed that Ajina.Banker has not infiltrated the Google Play Store, Android devices remain at risk from external sources. Google Play Protect, which is enabled by default on devices with Google Play Services, offers some protection against this malware.
To protect against malware like Ajina.Banker, Android users should avoid downloading apps from unofficial sources and be cautious when clicking on links in messaging platforms like Telegram. Always ensure that accessibility services are only granted to trusted apps and keep your device updated with the latest security patches.