A new strain of Android malware called Ajina.Banker has been targeting bank customers in Central Asia since November 2023. Its primary objective is to steal financial information and intercept two-factor authentication (2FA) messages. The malware was discovered by Singapore-based cybersecurity firm Group-IB in May 2024.
Ajina.Banker spreads through a network of Telegram channels created by threat actors posing as legitimate applications related to banking, payment systems, government services, or common utilities. This distribution strategy helps to reach unsuspecting users looking for genuine apps.
"The attacker uses a network of affiliates driven by financial incentives to spread Android banking malware that targets ordinary users," said security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov from Group-IB.
Countries affected by the malware include Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. There are indications that some parts of the malware distribution process are automated, improving the efficiency of these malicious campaigns.
Ajina.Banker takes advantage of Telegram’s communication platform to distribute malicious APK files through localized messages, often disguised as giveaways or exclusive offers. This tactic allows it to bypass security measures and moderation that are typically enforced in other community chats, ensuring that it can evade detection and reach more victims.
"The use of localized promotion strategies and thematic messages increased infection rates significantly, as the malware was tailored to appeal to the interests of local populations," the researchers said.
Once installed, Ajina.Banker establishes a connection with a remote server and requests access to SMS messages, phone number APIs, and other sensitive cellular information. The malware is capable of collecting SIM card details, a list of installed financial apps, and SMS messages, which are sent to the attacker’s server.
Additionally, newer versions of Ajina.Banker are designed to serve phishing pages to gather banking information and can access call logs and contacts. The malware also abuses Android’s accessibility services to make uninstallation difficult and acquire more permissions.
The malware has not been detected on Google Play Store, and Google has assured users that devices protected by Google Play Protect are secure against Ajina.Banker.
Group-IB's researchers believe that the malware is still under active development, as evidenced by the recruitment of Java coders and the creation of Telegram bots offering monetary rewards to attract more affiliates. These developments suggest that Ajina.Banker is part of a well-organized and regionally focused malware campaign.
This disclosure follows a related discovery by Zimperium, which linked Ajina.Banker to two other Android malware families, SpyNote and Gigabud, indicating that the same threat actor could be orchestrating a broad, coordinated campaign targeting Android users.
