New Android Malware Steals Banking Information And Bypasses 2FA

A new strain of Android malware, Ajina.Banker, has been targeting bank customers in the Central Asia region since at least November 2023. The malware is designed to steal financial information and intercept two-factor authentication (2FA) messages, putting users’ sensitive data at significant risk. The threat was first uncovered by Singapore-headquartered cybersecurity firm Group-IB in May 2024. Ajina.Banker is being spread through a network of Telegram channels, disguised as legitimate banking, payment system, or government service applications.

This campaign poses a severe threat to users in countries like Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. Below, we explore how the malware works, who is at risk, and how to protect yourself from this type of cyber attack.

Understanding the Vulnerability

Ajina.Banker is propagated through Telegram channels that are crafted to appear legitimate. The malware distribution relies heavily on social engineering techniques, tricking users into downloading infected Android Package (APK) files. These files are disguised as apps related to banking, payment systems, government services, or even common utilities.

Once installed, Ajina.Banker communicates with a remote server and requests permissions to access sensitive data, including SMS messages, phone numbers, cellular network information, and SIM card details. The malware is also capable of gathering a list of installed financial apps, intercepting 2FA codes, and serving phishing pages to steal banking credentials.

Notably, the attackers employ automated distribution methods through Telegram, using multiple accounts to bombard community chats with malicious links. This approach enables them to bypass security measures that would typically block or ban harmful content, making it easier to evade detection and spread the malware widely.

Ajina.Banker’s capabilities also extend to preventing uninstallation by abusing Android’s accessibility services, making it even more challenging for victims to remove the malware from their devices.

Who is at Risk?

The Ajina.Banker malware primarily targets users in Central Asia and some parts of Eastern Europe. The regions that have been most affected include:

• Armenia

• Azerbaijan

• Iceland

• Kazakhstan

• Kyrgyzstan

• Pakistan

• Russia

• Tajikistan

• Ukraine

• Uzbekistan

Anyone who uses banking or financial apps on an Android device in these regions is at risk. Since the malware is spread through popular messaging platforms like Telegram, it poses a particular danger to those who frequent community groups where these malicious APK files are shared. The localized promotional tactics employed by the attackers make the malware even more effective at targeting users in specific countries.

Moreover, Ajina.Banker’s ability to intercept 2FA messages puts not only financial information at risk but also access to any service that relies on 2FA for secure authentication, including email accounts, social media platforms, and more.

How to Protect Yourself

To safeguard yourself against threats like Ajina.Banker, it’s essential to adopt good security practices, especially when using Android devices and messaging platforms like Telegram. Here are some key steps to protect yourself:

1. Avoid Downloading APK Files from Untrusted Sources

• Only download apps from the official Google Play Store or other trusted sources. Avoid downloading APK files shared in messaging platforms like Telegram, especially if they promise free services or rewards.

2. Enable Two-Factor Authentication (2FA) with Caution

• While 2FA adds an extra layer of security, malware like Ajina.Banker can intercept these codes. Use authenticator apps (like Google Authenticator or Authy) instead of SMS-based 2FA whenever possible, as they are more secure.

3. Be Wary of Phishing Attempts

• Cybercriminals often use phishing pages to trick users into entering their banking credentials. Always double-check URLs and avoid clicking on suspicious links, particularly if they come from unverified sources.

4. Update Your Android Security Settings

• Make sure your Android device is updated with the latest security patches. Additionally, disable the installation of apps from unknown sources in your security settings to prevent accidental installation of malicious APKs.

5. Use Reliable Security Software

• Install reputable antivirus or anti-malware software on your Android device. These tools can help detect and block malicious apps before they cause harm.

6. Report Suspicious Activity

• If you suspect that an APK file or Telegram channel is distributing malware, report it to the platform administrators. This can help prevent the spread of the malware to other users.

Conclusion

Ajina.Banker represents a sophisticated new threat targeting banking customers across Central Asia. By spreading through Telegram channels under the guise of legitimate apps, the malware is designed to steal financial information and intercept 2FA codes.

To protect yourself, it is essential to be cautious when downloading apps, avoid clicking on suspicious links, and use security measures such as trusted antivirus software and secure 2FA methods. By taking these precautions, you can reduce your risk of falling victim to malware like Ajina.Banker and keep your personal and financial information safe.