Beware Of New BingoMod Android Malware Steals Money & Formats Device

The wide use and the huge user base of Android often lucrative the threat actors. 

As threat actors often use Android malware to exploit vulnerabilities in the Android operating system

This enables them to perform several illicit activities like stealing sensitive information, tracking user activity, and gaining unauthorized access to devices.

Cleafy researchers recently detected a brand new Android Remote Access Trojan (RAT) at the end of May 2024, named “BingoMod.”

BingoMod Android Malware

This malware enables account takeover through on-device fraud techniques, similar to trojans like Medusa and Teabot. 

One of the key features of BingoMod is that it can wipe devices after fraudulent activities have taken place just like Brata, consequently making forensic analysis difficult.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

It is still at that stage when there are only a few samples, but it already uses obfuscation, suggesting an opportunistic behavior rather than targeting specific companies.

BingoMod represents the increasing tendency among mobile malware to be more versatile and evasive rather than specialized attacks.

Besides this, BingoMod is disguised as a security tool and exploits Accessibility Services to activate its malicious functions.

It uses keylogging and SMS interception to seize sensitive material while establishing dual-channel communication with command and control (C2) infrastructure.

C2 communication scheme during VNC routine (Source – Cleafy)

By leveraging Android Media Projection API plus Accessibility Services, this malware makes use of VNC-like routines and screen interaction for advanced remote control.

This enables threat actors to manipulate the infected device directly to carry out “On Device Fraud.”

BingoMod’s weaponry also includes phishing capacity through overlay attacks and fake notifications, SMS-based self-propagation, and robust security measures.

Starting phase of BingoMod (Source – Cleafy)

These security measures include blocking particular applications, locking down system settings, and wiping external storage remotely after fraud has occurred. All these measures significantly increase its ability to detect evasion.

BingoMod’s development orbit has gone through a stage of experimentation that focused on obfuscation techniques rather than advancing functionality.

Reviewing code versions reveals small changes in structure but devoted efforts have been put into code-flattening and string obfuscation, which have significantly decreased the antivirus detection rates.

The malware’s codebase is composed of English, Romanian, and Italian languages with various typos and debugging artifacts, suggesting ongoing development by a potentially diverse team.

Suspicious upload of BingoMod from Romanian country (Source – Cleafy)

Incorporating common RAT features like HiddenVNC, SMS manipulation, and keylogging, BingoMod doesn’t possess advanced elements like Automatic Transfer Systems.

Its post-fraud device-wiping capability, similar to Brata malware, serves as a simple exit strategy, reads the report.

This approach repeats well with the current mobile banking Trojan landscape that highlights On-Device Fraud through Account Takeover instead of complex automation calling for direct device access manipulation.

However, this hands-on approach is not scalable and may expose the operators to greater detection risks.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago