Ajina.Banker

Ajina.Banker is Android money-stealing malware observed by Group-IB in campaigns targeting Telegram users in Uzbekistan. It is associated with the Ajina threat group and is described as earlier, more rudimentary malware in the Uzbekistan mobile threat ecosystem, preceding newer families such as Wonderland. The malware has been distributed as malicious Android APKs, including via Telegram-based social engineering and large-scale spam campaigns. In the broader 2025 Uzbekistan activity, attackers used stolen Telegram access to message victims and their contacts, tricking them into sideloading malicious apps. Group-IB reported that malware in these campaigns steals money and credentials from infected phones, can repeatedly withdraw funds from victims’ bank cards while access persists, may masquerade as legitimate applications such as Google Play or as custom apps that open preset websites, requests permissions, and may display deceptive uninstall prompts. The campaigns also featured obfuscation, anti-analysis functions, and frequent rotation of domains and package names to hinder detection and blacklisting. High-confidence indicators in the provided content are limited to the malware name/alias Ajina.Banker and its use in Uzbekistan-focused Android financial theft operations.