- Cyber Syrup
- Posts
- New Android Malware Steals Banking Information And Bypasses 2FA
New Android Malware Steals Banking Information And Bypasses 2FA
This malware represents a sophisticated new threat targeting banking customers across Central Asia
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Want SOC 2 compliance without the Security Theater?
Question 🤔 does your SOC 2 program feel like Security Theater? Just checking pointless boxes, not actually building security?
In an industry filled with security theater vendors, Oneleet is the only security-first compliance platform that provides an “all in one” solution for SOC 2.
We’ll build you a real-world Security Program, perform the Penetration Test, integrate with a 3rd Party Auditor, and provide the Compliance Software … all within one platform.
New Android Malware Steals Banking Information And Bypasses 2FA
A new strain of Android malware, Ajina.Banker, has been targeting bank customers in the Central Asia region since at least November 2023. The malware is designed to steal financial information and intercept two-factor authentication (2FA) messages, putting users’ sensitive data at significant risk. The threat was first uncovered by Singapore-headquartered cybersecurity firm Group-IB in May 2024. Ajina.Banker is being spread through a network of Telegram channels, disguised as legitimate banking, payment system, or government service applications.
This campaign poses a severe threat to users in countries like Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. Below, we explore how the malware works, who is at risk, and how to protect yourself from this type of cyber attack.
Understanding the Vulnerability
Ajina.Banker is propagated through Telegram channels that are crafted to appear legitimate. The malware distribution relies heavily on social engineering techniques, tricking users into downloading infected Android Package (APK) files. These files are disguised as apps related to banking, payment systems, government services, or even common utilities.
Once installed, Ajina.Banker communicates with a remote server and requests permissions to access sensitive data, including SMS messages, phone numbers, cellular network information, and SIM card details. The malware is also capable of gathering a list of installed financial apps, intercepting 2FA codes, and serving phishing pages to steal banking credentials.
Notably, the attackers employ automated distribution methods through Telegram, using multiple accounts to bombard community chats with malicious links. This approach enables them to bypass security measures that would typically block or ban harmful content, making it easier to evade detection and spread the malware widely.
Ajina.Banker’s capabilities also extend to preventing uninstallation by abusing Android’s accessibility services, making it even more challenging for victims to remove the malware from their devices.
Who is at Risk?
The Ajina.Banker malware primarily targets users in Central Asia and some parts of Eastern Europe. The regions that have been most affected include:
Armenia
Azerbaijan
Iceland
Kazakhstan
Kyrgyzstan
Pakistan
Russia
Tajikistan
Ukraine
Uzbekistan
Anyone who uses banking or financial apps on an Android device in these regions is at risk. Since the malware is spread through popular messaging platforms like Telegram, it poses a particular danger to those who frequent community groups where these malicious APK files are shared. The localized promotional tactics employed by the attackers make the malware even more effective at targeting users in specific countries.
Moreover, Ajina.Banker’s ability to intercept 2FA messages puts not only financial information at risk but also access to any service that relies on 2FA for secure authentication, including email accounts, social media platforms, and more.
How to Protect Yourself
To safeguard yourself against threats like Ajina.Banker, it’s essential to adopt good security practices, especially when using Android devices and messaging platforms like Telegram. Here are some key steps to protect yourself:
1. Avoid Downloading APK Files from Untrusted Sources
Only download apps from the official Google Play Store or other trusted sources. Avoid downloading APK files shared in messaging platforms like Telegram, especially if they promise free services or rewards.
2. Enable Two-Factor Authentication (2FA) with Caution
While 2FA adds an extra layer of security, malware like Ajina.Banker can intercept these codes. Use authenticator apps (like Google Authenticator or Authy) instead of SMS-based 2FA whenever possible, as they are more secure.
3. Be Wary of Phishing Attempts
Cybercriminals often use phishing pages to trick users into entering their banking credentials. Always double-check URLs and avoid clicking on suspicious links, particularly if they come from unverified sources.
4. Update Your Android Security Settings
Make sure your Android device is updated with the latest security patches. Additionally, disable the installation of apps from unknown sources in your security settings to prevent accidental installation of malicious APKs.
5. Use Reliable Security Software
Install reputable antivirus or anti-malware software on your Android device. These tools can help detect and block malicious apps before they cause harm.
6. Report Suspicious Activity
If you suspect that an APK file or Telegram channel is distributing malware, report it to the platform administrators. This can help prevent the spread of the malware to other users.
Conclusion
Ajina.Banker represents a sophisticated new threat targeting banking customers across Central Asia. By spreading through Telegram channels under the guise of legitimate apps, the malware is designed to steal financial information and intercept 2FA codes.
To protect yourself, it is essential to be cautious when downloading apps, avoid clicking on suspicious links, and use security measures such as trusted antivirus software and secure 2FA methods. By taking these precautions, you can reduce your risk of falling victim to malware like Ajina.Banker and keep your personal and financial information safe.