“Rising Threat: Ajina Malware Targets Banking Security, Intercepting 2FA to Compromise Financial Data”
**Understanding the Threat of Android Malware Ajina: How It Steals Banking Details and Intercepts 2FA Messages**
A new menace has emerged that specifically targets Android users with alarming precision. Dubbed “Ajina” by cybersecurity analysts at Group-IB, this Android malware has been actively compromising the financial security of users in Central Asia since November 30, 2023. The primary method of attack involves stealing banking login details and intercepting two-factor authentication (2FA) messages, which are crucial for securing online transactions.
Ajina operates by masquerading as legitimate applications, using sophisticated social engineering tactics to deceive users into downloading malicious software. Once installed, the malware requests permissions that might seem benign at first glance but are actually integral to its malicious operations. These include permissions to read phone state, make calls, read phone numbers, receive and read SMS messages. By granting these permissions, users unknowingly give Ajina the ability to access sensitive information.
The malware cleverly collects data such as SIM card details (MCC, MNC, SPN), a list of installed financial apps, and the content of SMS messages. This information is then encrypted using AES/GCM/NoPadding encryption and transmitted over raw TCP to command and control (C2) servers controlled by the attackers. What makes Ajina particularly dangerous is its ability to bypass certain Android permissions, such as QUERY_ALL_PACKAGES, which typically require explicit user approval.
As the malware evolves, newer versions have introduced even more invasive features. These include the abuse of accessibility services, additional permissions like reading call logs and contacts, and phishing capabilities designed to extract even more personal and financial information from unsuspecting victims. The sophistication of Ajina is evident in its use of USSD requests to obtain phone numbers directly from the device, which it then sends back to its C2 servers in a structured JSON format.
The distribution network for Ajina is robust, utilizing multiple Telegram accounts to spread the malware and a variety of C2 servers that exhibit signs of an affiliate program structure. This suggests that not only is Ajina a well-organized malware campaign, but it is also part of a larger ecosystem of cybercriminal activities that continuously adapt and evolve.
The geographical focus of Ajina includes several countries in Central Asia such as Uzbekistan, Armenia, Azerbaijan, Kazakhstan, Kyrgyzstan, and Pakistan. This regional specificity indicates a targeted approach, likely exploiting localized social engineering tactics that resonate more effectively with users in these areas.
The emergence of Ajina highlights a worrying trend in the development and distribution of Android malware. Its ability to intercept SMS messages and manipulate on-screen content presents a significant threat to mobile banking security. Users must be vigilant and take proactive steps to protect themselves from such sophisticated attacks.
To safeguard against threats like Ajina, it is crucial to keep mobile devices updated and only download apps from trusted sources like Google Play. Monitoring app permissions closely can also help prevent malicious software from gaining access to sensitive data. In the event of an infection, it is advisable to disable network connections immediately, freeze bank accounts, and seek assistance from cybersecurity experts. Additionally, employing robust security solutions can enhance protection against fraud techniques, phishing attempts, and unauthorized data collection.
Understanding the threat posed by Android malware like Ajina is the first step towards securing our digital lives against increasingly sophisticated cyber threats. As we continue to rely more on mobile technology for our financial transactions, staying informed and cautious is more important than ever.
