Recent developments in Android malware have revealed a concerning trend where malicious applications are increasingly capable of stealing banking login details and intercepting two-factor authentication (2FA) messages.
This significant rise in sophisticated attacks poses great risks to the financial security of users.
Recently, cybersecurity analysts at Group-IB identified a new Android malware dubbed “Ajina,” has been actively attacking users to steal their banking details and intercept 2FA messages.
Android Malware Ajina Attacks Users
Group-IB’s investigation uncovered the “Ajina” Android malware campaign targeting Central Asia, primarily Uzbekistan has been active since November 30, 2023.
The malware is identified by the following package names, which spread via Telegram using social engineering tactics:-
- com.example.smshandler
- org.zzzz.aaa
It mimics legitimate apps, including SHA1 hashes b04d7fa82e762ea9223fe258fcf036245b9e0e9c and 5951640c2b95c6788cd6ec6ef9f66048a35d6070.
Ajina requests critical permissions like READ_PHONE_STATE, CALL_PHONE, READ_PHONE_NUMBERS, RECEIVE_SMS, and READ_SMS.
It collects SIM data (MCC, MNC, SPN), installed financial apps, and SMS content, transmitting to C2 servers using AES/GCM/NoPadding encryption over raw TCP.
The malware abuses the
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
While the later versions (org.zzzz.aaa) introduced accessibility service abuse, additional permissions (READ_CALL_LOG, GET_ACCOUNTS, READ_CONTACTS), and phishing capabilities.
The campaign employs multiple Telegram accounts and C2 servers that were identified by certificates with “WIN-PDDC81NCU8C” issuer.
Besides this, the attribution suggests an affiliate program structure with ongoing development evidenced by Java coder recruitment and a Telegram bot (@glavnyypouzbekambot).
The malware targets users in Uzbekistan, Armenia, Azerbaijan, Kazakhstan, Kyrgyzstan, and Pakistan, as indicated by embedded country codes and app package checks.
The case of Ajina demonstrates the rapid evolution of malware development and distribution. This banking trojan is known as “Ajina. ” Banker emerged quickly and established efficient distribution channels.
This approach is particularly effective in evading early detection by security systems.
Ajina’s ability to intercept SMS messages, steal login credentials, and manipulate on-screen content poses a significant threat to mobile banking security.
Recommendations
Here below we have mentioned all the recommendations:-
- Always keep your mobile device updated.
- Make sure to download apps only from Google Play.
- Always keep an eye on the app permissions.
- Avoid clicking on suspicious SMS links.
- Disable the network, freeze bank accounts, and consult experts in case of infection.
- Use fraud protection solutions that enable the detection of fraud techniques, phishing, and attacks.
- Detects trojans, remote access, and personal data collection without extra software.
- Always use robust security solutions for enhanced cybersecurity.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar