New Android Banking Malware Targets Users via Telegram

Sophia Taylor

By Sophia Taylor

Published:

A new strain of Android malware, Ajina.Banker, is targeting banking customers across Central Asia, posing a significant threat to users’ financial data.

Discovered by Singapore-based cybersecurity firm Group-IB, the malware has been active since at least November 2023, targeting countries like Kazakhstan, Pakistan, Uzbekistan, and Ukraine, among others.

Fig 1. New infections timeline. Source: Group-IB

Ajina.Banker aims to steal financial information and intercept two-factor authentication (2FA) messages, crucial security layers used by banks to protect user accounts.

The malware spreads through Telegram channels masquerading as legitimate apps linked to banking, government services, and other utilities. Threat actors use tailored messages and localized strategies to lure victims, offering fake giveaways and promotions to increase infection rates.

Once installed on a device, Ajina.Banker connects to a remote server, asking for permissions to access sensitive data like SMS messages, call logs, and SIM card information.

The malware’s design also enables it to exploit Android’s accessibility services, preventing uninstallation and granting itself additional permissions to harvest even more personal information.

Fig 2. Telegram message containing malicious files. Source: Group-IB

While the malware isn’t found on Google Play, users are urged to avoid downloading apps from third-party sources and always check the permissions requested by any app. Google Play Protect, active by default on Android devices, offers a layer of protection, but users should remain cautious.

Ajina.Banker is still evolving. The malware operators have set up a network of affiliates to help distribute it and are continuously developing new features to evade detection.

Researchers believe some aspects of its distribution are automated, making it harder for platforms like Telegram to combat. Group-IB’s analysis suggests this malware is part of a coordinated campaign that leverages a deep understanding of local cultures and systems to effectively target users.

Fig 3. Example of malicious app interface. Source: Group-IB

The rapid rise of Ajina.Banker highlights the ongoing threat posed by Android banking Trojans, despite advancements in mobile security.

To mitigate risks, users should regularly update their devices, avoid suspicious links, and monitor their bank accounts for unusual activity. If infected, disabling network access and freezing affected accounts immediately is essential.