Bank customers in the Central Asian region were hit with the codename My class is Bunker. It has been operating since at least November 2024 with the aim of collecting financial information and intercepting two-factor authentication (2FA) messages.
Singapore-based Group-IB, which discovered the threat in May 2024, said the malware is spread through a network of Telegram channels set up by threat actors disguised as legitimate applications related to banking, payment systems, government services or everyday utilities.
“The attackers have a network of affiliates with financial motives and are spreading Android bunker malware targeting ordinary users,” said security researchers Boris Martynyuk, Pavel Naumov and Anvar Anarkoulov.
Targets in the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine and Uzbekistan.
Evidence suggests that parts of the Telegram-based malware distribution process may be automated for efficiency, with numerous Telegram accounts designed to deliver crafted messages containing links to other Telegram channels or external sources and APK files to unknowing targets.
Links to Telegram channels hosting malicious files have the added benefit of circumventing security measures and restrictions imposed by many community chats, allowing accounts to avoid bans when auto-moderation is triggered.
In addition to exploiting the trust users place in legitimate services to maximize infection rates, modus operandi also include sharing malicious files in local Telegram chats, disguised as giveaways or promotions offering high rewards or exclusive access to services.
“The use of themed messaging and location-specific promotional strategies proved to be effective, especially in local community chat rooms,” the researchers said. “By tailoring its approach to the interests and needs of local residents, Ajnah was able to significantly increase its infection success rate.”
The threat actors were also observed using multiple accounts to send multiple messages to Telegram channels, sometimes simultaneously, suggesting a coordinated effort using some sort of automated distribution tool.
The malware itself is quite simple, once installed it establishes a connection with a remote server and requests the victim’s permission to access SMS messages, phone number APIs, current cellular network information, and more.
Ajina.Banker is able to collect SIM card information, list of installed financial apps, and SMS messages and exfiltrate them to its server.
The new version of the malware is also designed to display phishing pages and harvest banking information, as well as access call logs and contacts, and abuse Android’s accessibility services APIs to prevent uninstallation and grant itself additional permissions.
“The hiring of a Java programmer to create a Telegram bot with the goal of generating revenue indicates that the tool is under active development and supported by a network of affiliated employees,” the researchers said.
“Analysis of filenames, sample distribution methods, and other actor activity suggests the actors have cultural familiarity with the regions in which they operate.”
The revelation comes after Zimperium discovered a link between two Android malware families tracked as SpyNote and Gigabud (part of the GoldFactory family, which also includes GoldDigger).
“Domains with very similar structures (using the same unusual keywords as subdomains) and targets were used to spread Gigabud samples and were also used to distribute SpyNote samples,” the company said. “This distribution overlap suggests the same threat actor is likely behind both malware families and suggests a well-coordinated, widespread campaign.”
