In a recent development, Central Asia has found itself under attack by a devious new Android malware known as Ajina.Banker. This malicious software, discovered by cybersecurity firm Group-IB in May 2024, has been causing chaos since November 2023, with researchers identifying approximately 1,400 unique variations of the malware.
Named after a malevolent Uzbek mythical spirit associated with deception and chaos, Ajina.Banker employs a stealthy approach to target unsuspecting users. The malware disguises itself as reputable applications such as banking services, government portals, and everyday utilities in order to deceive individuals into downloading and running the malicious file, ultimately compromising their devices.
The primary method of distribution for Ajina.Banker is through social engineering tactics on messaging platforms like Telegram. Attackers create multiple accounts to disseminate malicious links and files disguised as enticing offers or promotions, tricking users into downloading and installing the malware under false pretenses of lucrative rewards or exclusive access.
Furthermore, the attackers utilize a multi-faceted strategy by sending messages containing the malicious file alone, exploiting users’ curiosity. They also share links to channels hosting the malware, evading security measures present on some community chats. By employing localized promotion techniques and themed messages, the attackers create a sense of urgency and excitement within regional community chats, encouraging users to click on links or download files without suspicion.
While initially targeting users in Uzbekistan, Ajina.Banker has managed to expand its reach beyond borders. The malware is capable of gathering information on financial applications installed in various countries such as Armenia, Azerbaijan, Iceland, and Russia. Additionally, it collects SIM card details and intercepts incoming SMS messages, potentially capturing 2FA codes used for securing financial accounts.
An analysis of the malware reveals the existence of two distinct versions, com.example.smshandler and org.zzzz.aaa, indicating ongoing development. Newer iterations of the malware showcase enhanced functionalities, including the capability to steal user-provided phone numbers, bank card details, and PIN codes.
Group-IB’s investigation into Ajina.Banker suggests that the malware operates on an affiliate program model, with a core group managing the infrastructure while a network of affiliates handles distribution and infection chains, likely receiving a share of the stolen funds as an incentive.
To safeguard oneself and one’s devices against Ajina.Banker and similar threats, it is advised to exercise caution when dealing with unsolicited messages and downloads, stick to trusted app stores like Google Play Store, scrutinize app permissions, install security software, and stay informed about the latest malware threats and best practices for mobile security.
Rocky Cole, Co-Founder and COO of mobile device security company iVerify, emphasized the importance of running EDR platforms on phones to detect malicious APKs and social engineering attempts, highlighting credential theft as a prevalent threat in the current landscape of cybersecurity.
As the prevalence of Android malware continues to rise, it is imperative for users to remain vigilant and proactive in safeguarding their personal information and devices from malicious actors seeking to exploit vulnerabilities in the digital realm.
In conclusion, the emergence of Ajina.Banker underscores the need for increased awareness and robust security measures to thwart the nefarious activities of cybercriminals targeting individuals in Central Asia and beyond. By staying informed and implementing preventive measures, users can mitigate the risks posed by such malicious software and protect themselves from falling victim to financial fraud and data theft.