Bank customers in Central Asia targeted by new Android malware strain named Ajina.Banker

Bank customers in Central Asia are under threat from a new strain of Android malware known as Ajina.Banker, which has been targeting users since November 2024. The malware, discovered by Singapore-based Group-IB in May 2024, aims to steal financial information and intercept two-factor authentication messages.

The malware is being spread through a network of Telegram channels that pose as legitimate banking, payment system, and government service applications. Security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov stated that the attacker has a network of affiliates who spread the malware to target ordinary users.

Countries affected by this ongoing campaign include Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. The distribution process on Telegram channels appears to have been partially automated for efficiency, with the malware being disguised as links and APK files shared in messages.

The threat actors behind Ajina.Banker have been using tailored messages in regional community chats to increase infection rates. Additionally, the malware is capable of accessing sensitive information such as SIM card details, installed financial apps, SMS messages, call logs, and contacts. It also deploys phishing pages to gather banking information and prevents uninstallation by abusing Android’s accessibility services API.

Furthermore, researchers have linked Ajina.Banker to the SpyNote and Gigabud malware families, suggesting a coordinated and broad campaign by the same threat actor. The continuous evolution and development of this malware highlight the need for heightened awareness and vigilance among users in the region.