Saturday, September 7, 2024
HomeAndroidBeware Of New BingoMod Android Malware Steals Money & Formats Device

Beware Of New BingoMod Android Malware Steals Money & Formats Device

Published on

The wide use and the huge user base of Android often lucrative the threat actors. 

As threat actors often use Android malware to exploit vulnerabilities in the Android operating system

This enables them to perform several illicit activities like stealing sensitive information, tracking user activity, and gaining unauthorized access to devices.

- Advertisement - EHA

Cleafy researchers recently detected a brand new Android Remote Access Trojan (RAT) at the end of May 2024, named “BingoMod.”

BingoMod Android Malware

This malware enables account takeover through on-device fraud techniques, similar to trojans like Medusa and Teabot. 

One of the key features of BingoMod is that it can wipe devices after fraudulent activities have taken place just like Brata, consequently making forensic analysis difficult.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

It is still at that stage when there are only a few samples, but it already uses obfuscation, suggesting an opportunistic behavior rather than targeting specific companies.

BingoMod represents the increasing tendency among mobile malware to be more versatile and evasive rather than specialized attacks.

Besides this, BingoMod is disguised as a security tool and exploits Accessibility Services to activate its malicious functions.

It uses keylogging and SMS interception to seize sensitive material while establishing dual-channel communication with command and control (C2) infrastructure.

C2 communication scheme during VNC routine (Source – Cleafy)

By leveraging Android Media Projection API plus Accessibility Services, this malware makes use of VNC-like routines and screen interaction for advanced remote control.

This enables threat actors to manipulate the infected device directly to carry out “On Device Fraud.”

BingoMod’s weaponry also includes phishing capacity through overlay attacks and fake notifications, SMS-based self-propagation, and robust security measures.

Starting phase of BingoMod (Source – Cleafy)

These security measures include blocking particular applications, locking down system settings, and wiping external storage remotely after fraud has occurred. All these measures significantly increase its ability to detect evasion.

BingoMod’s development orbit has gone through a stage of experimentation that focused on obfuscation techniques rather than advancing functionality.

Reviewing code versions reveals small changes in structure but devoted efforts have been put into code-flattening and string obfuscation, which have significantly decreased the antivirus detection rates.

The malware’s codebase is composed of English, Romanian, and Italian languages with various typos and debugging artifacts, suggesting ongoing development by a potentially diverse team.

Suspicious upload of BingoMod from Romanian country (Source – Cleafy)

Incorporating common RAT features like HiddenVNC, SMS manipulation, and keylogging, BingoMod doesn’t possess advanced elements like Automatic Transfer Systems.

Its post-fraud device-wiping capability, similar to Brata malware, serves as a simple exit strategy, reads the report.

This approach repeats well with the current mobile banking Trojan landscape that highlights On-Device Fraud through Account Takeover instead of complex automation calling for direct device access manipulation.

However, this hands-on approach is not scalable and may expose the operators to greater detection risks.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...