Cybercrime , Fraud Management & Cybercrime

Android Malware BingoMod Steals Money, Wipes Devices

Malware Enables Overlay Attacks and Remote Access to Compromised Devices
Android Malware BingoMod Steals Money, Wipes Devices
Image: Shutterstock

A newly discovered remote access Trojan is attacking Android users primarily to initiate money transfers on infected devices, but it has an additional capability: It can wipe the infected device once it's done.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

Security firm Cleafy said it analyzed a previously undiscovered Android RAT in May that it dubbed BingoMod. The app poses as a legitimate mobile security tool. Once installed, BingoMod requests the user to grant it access to AccessibilityServices, an oft-abused operating system feature designed to allow developers to adapt apps to users with disabilities. The feature grants apps a wide range of high-level permissions, allowing hackers to capture sensitive data. If the user complies, the app activates its malicious payload.

BingoMod operates covertly in the background, using keylogging and SMS interception to capture user credentials. Once the attackers gain control of the device, they initiate unauthorized money transfers.

The malware is equipped with features that enable overlay attacks and remote access to compromised devices using VNC-like functionality. After a successful fraudulent transfer, BingoMod typically wipes the infected device, removing any traces of its activity to hinder forensic investigations.

Cleafy's investigation revealed that BingoMod targets devices that use English, Romanian and Italian languages. The malware's code contains comments that suggest the developers could be Romanian speakers.

BingoMod is part of the modern generation of RATs for mobile devices that allow threat actors to conduct ATO directly from infected devices.

It also necessitates live operators to authorize money transfers, which limits the malware's scalability.

The malware establishes a socket-based connection with its command-and-control infrastructure to receive commands from the threat actors, enabling the threat actors to perform roughly 40 remote operations, including real-time screen control and screen navigation.

BingoMod can conduct phishing attacks through overlay attacks and fake notifications. These overlay attacks are initiated directly by the malware operator rather than being triggered when specific target apps are opened. BingoMod can also send SMS messages from the compromised device to spread the malware further.

BingoMod makes the process of editing system settings on the device harder in order to protect itself. It restricts the functionality of certain apps and may even uninstall other apps if needed.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.