Beware Of New BingoMod Android Malware Steals Money & Formats Device

The wide use and the huge user base of Android often lucrative the threat actors. 

As threat actors often use Android malware to exploit vulnerabilities in the Android operating system

This enables them to perform several illicit activities like stealing sensitive information, tracking user activity, and gaining unauthorized access to devices.

Cleafy researchers recently detected a brand new Android Remote Access Trojan (RAT) at the end of May 2024, named “BingoMod.”

BingoMod Android Malware

This malware enables account takeover through on-device fraud techniques, similar to trojans like Medusa and Teabot. 

One of the key features of BingoMod is that it can wipe devices after fraudulent activities have taken place just like Brata, consequently making forensic analysis difficult.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

It is still at that stage when there are only a few samples, but it already uses obfuscation, suggesting an opportunistic behavior rather than targeting specific companies.

BingoMod represents the increasing tendency among mobile malware to be more versatile and evasive rather than specialized attacks.

Besides this, BingoMod is disguised as a security tool and exploits Accessibility Services to activate its malicious functions.

It uses keylogging and SMS interception to seize sensitive material while establishing dual-channel communication with command and control (C2) infrastructure.

C2 communication scheme during VNC routine (Source – Cleafy)

By leveraging Android Media Projection API plus Accessibility Services, this malware makes use of VNC-like routines and screen interaction for advanced remote control.

This enables threat actors to manipulate the infected device directly to carry out “On Device Fraud.”

BingoMod’s weaponry also includes phishing capacity through overlay attacks and fake notifications, SMS-based self-propagation, and robust security measures.

Starting phase of BingoMod (Source – Cleafy)

These security measures include blocking particular applications, locking down system settings, and wiping external storage remotely after fraud has occurred. All these measures significantly increase its ability to detect evasion.

BingoMod’s development orbit has gone through a stage of experimentation that focused on obfuscation techniques rather than advancing functionality.

Reviewing code versions reveals small changes in structure but devoted efforts have been put into code-flattening and string obfuscation, which have significantly decreased the antivirus detection rates.

The malware’s codebase is composed of English, Romanian, and Italian languages with various typos and debugging artifacts, suggesting ongoing development by a potentially diverse team.

Suspicious upload of BingoMod from Romanian country (Source – Cleafy)

Incorporating common RAT features like HiddenVNC, SMS manipulation, and keylogging, BingoMod doesn’t possess advanced elements like Automatic Transfer Systems.

Its post-fraud device-wiping capability, similar to Brata malware, serves as a simple exit strategy, reads the report.

This approach repeats well with the current mobile banking Trojan landscape that highlights On-Device Fraud through Account Takeover instead of complex automation calling for direct device access manipulation.

However, this hands-on approach is not scalable and may expose the operators to greater detection risks.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Halo ITSM Vulnerability Lets Attackers Inject Malicious SQL Code

A critical security flaw has been discovered in Halo ITSM, an IT support management software widely…

3 minutes ago

Australian Pension Funds Hacked: Members Face Financial Losses

Several of Australia’s largest superannuation funds have been targeted in a coordinated cyberattack, leading to…

40 minutes ago

Frida Penetration Testing Toolkit Updated with Advanced Threat Monitoring APIs

In a significant update to the popular dynamic instrumentation toolkit Frida, developers have introduced powerful…

48 minutes ago

OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability…

3 hours ago

Apache Traffic Server Flaw Allows Request Smuggling Attacks

A critical vulnerability has been discovered in Apache Traffic Server (ATS), an open-source caching proxy…

3 hours ago

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

15 hours ago