A sophisticated Android malware campaign has been discovered, targeting bank customers in Central Asia. Researchers from the Singapore-based cybersecurity firm Group-IB have uncovered a new malware strain called Ajina Banker, which is designed to steal sensitive information from unsuspecting users through deceptive tactics.
First identified in May, the Ajina Banker malware disguises itself as legitimate financial apps, government service portals, and common utility tools, spreading primarily through Telegram, the messaging app. The malicious files have been distributed since at least November of last year, and the ongoing campaign shows no signs of slowing down.
In their report, Group-IB revealed that they had found nearly 1,400 unique malware samples attributed to the Ajina Banker. The cybercriminals behind this operation, though not yet identified, work with a network of affiliates focused on defrauding ordinary users across several countries, including Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan. Uzbekistan has been the primary target, with most malware variants specifically designed to compromise users in that region.
Ajina Banker’s reach has since expanded beyond Central Asia, affecting victims in Russia, Ukraine, Pakistan, and even Iceland, suggesting the malware is evolving in sophistication and scope. In May alone, researchers observed attempted infections surpassing 100 per day.
The malware is propagated through a series of Telegram accounts, where hackers distribute it in local chat groups. They use convincing messages, offering fake rewards, special offers, or exclusive access to lure victims into downloading the malicious files. To avoid detection, these hackers direct users to external channels they control, allowing them to bypass security restrictions on Telegram, which would otherwise flag and ban suspicious activity.
Group-IB highlighted that the adversaries’ ability to operate numerous Telegram accounts simultaneously, while blending in with regular users, reflects a high level of organization and planning. This network of accounts spreads malware through both automated and manual efforts, increasing the campaign’s efficiency. Once a user installs Ajina Banker on their device, the malware gains access to sensitive information, including sent and received SMS, SIM card details, and a list of installed financial applications.
Ajina Banker continues to evolve, with attackers frequently updating the malware to avoid detection and improve its effectiveness. Social engineering techniques play a crucial role in the campaign’s success, leveraging local culture, interests, and needs to increase the likelihood of users falling victim.
While no specific hacker group has been officially attributed to the operation, Group-IB noted that the attackers demonstrate familiarity with the cultural and linguistic nuances of the region, helping them craft more convincing phishing campaigns. As cyber threats continue to escalate in Central Asia and beyond, users are urged to exercise caution when downloading apps from unverified sources, especially on platforms like Telegram, where malware distribution has proven highly effective.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
