An Android malware threat targeting users of banking applications has been confirmed by security researchers who analyzed a campaign in Central Asia. Known as Ajina.Banker, the malware is designed to harvest financial information and credentials, including the interception of two-factor authentication codes, making it particularly dangerous. Any threat that includes the bypassing of 2FA in its arsenal has to be taken seriously, and Ajina.Banker is no exception.

Tracking Down The 2FA-Stealing Android Malware Campaign

An incredibly in-depth analysis of the Ajina.Banker campaign has been published by Group-IB with input from a threat intelligence analyst, cyber fraud analyst and security researcher. The result is a fascinating look inside the operations of threat actors looking to steal credentials for financial gain.

ForbesWarning Issued As Hackers Fake Google’s 2FA App To Steal Your DataBy Davey Winder

The attacks started in November 2023 but the researchers first spotted them in May 2024, with thousands of malicious samples eventually being detected that had been masquerading as banking applications as well as apps used to facilitate payments and deliveries. The common denominator was that they were all distributed using messaging platforms, with the researchers giving the example of Telegram channels, rather than the official app store. “Evidence suggests that this distribution process may have been partially automated,” the report stated, “allowing for a more efficient and far-reaching spread of the malicious software.”

At this point I should shout my usual warning: don’t download apps from unofficial app stores, and preferably only download Android apps from Google Play if you want the best protection from malware.

Although the analysis details attacks in Armenia, Azerbaijan, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan, “the evolution of this malware campaign is causing attacks to expand beyond the original region, causing more victims in other countries as well,” the researchers said.

As is often the case, the threat actors distributing the Ajina.Banker malware used giveaways and promotions such as special offers to entice victims into downloading malicious apps. If only there were a well-known saying such as “if it sounds too good to be true it probably is” that could serve as a warning to users.

The analysis revealed that the malware uses another oft-repeated technique for credential-stealing apps, the granting of user permissions. Once installed, the app connects to a remote server and attempts to trick the user into granting permissions that will enable the attackers to grant access to SMS messages both sent and received as well as mobile network information and phone numbers.

Mitigating The Threat Of 2FA Code Stealers

Google told The Hacker News that there was no evidence to suggest the Ajina.Banker malware had been propagated by way of the Play Store and advised that all Android users are protected against such threats by Google Play Protect. News of the latest updates to Play Protect in the form of the AI-powered Play Protect Live service only further reinforce this message.

ForbesGoogle Debuts New Chrome Browser Security Features To Block ThreatsBy Davey Winder

“Credential theft is the number one action being taken by threat actors,” Rocky Cole, co-founder of mobile device security company iVerify, said, “it’s so easy to steal credentials on phones where smaller screens, lower attention spans, lack of training, and the mixing of personal and professional use cases put people at risk.”

Which is why 2FA is so important, despite the warning that Ajina.Banker could intercept and copy codes. You should always use 2FA on every account where it is offered as it remains one of the most important security protections available to end users.