Adrian Johnson
TLDR:
- Android malware Ajina.Banker targets users in Central Asia to steal financial information and bypass 2FA.
- Malware is spread via Telegram channels disguising as legitimate applications.
Bank customers in Central Asia have been targeted by a new strain of Android malware known as Ajina.Banker since at least November 2023. The malware aims to harvest financial information and intercept two-factor authentication (2FA) messages. The threat was discovered by Group-IB in May 2024, and it is spread through a network of Telegram channels set up by threat actors posing as legitimate banking, payment systems, and government services applications. The malware distribution process appears to have been partially automated, with malicious links shared in Telegram channels to evade bans in community chats. The attackers use tailored messages and localized promotions to increase infection rates, and the malware can gather SIM card information, installed financial apps, and SMS messages for exfiltration. Google Play Protect offers protection against the threat for Android users, but the malware’s active development indicates ongoing risks.
