Cybercrime , Fraud Management & Cybercrime
Android Malware BingoMod Steals Money, Wipes Devices
Malware Enables Overlay Attacks and Remote Access to Compromised DevicesA newly discovered remote access Trojan is attacking Android users primarily to initiate money transfers on infected devices, but it has an additional capability: It can wipe the infected device once it's done.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Security firm Cleafy said it analyzed a previously undiscovered Android RAT in May that it dubbed BingoMod. The app poses as a legitimate mobile security tool. Once installed, BingoMod requests the user to grant it access to AccessibilityServices
, an oft-abused operating system feature designed to allow developers to adapt apps to users with disabilities. The feature grants apps a wide range of high-level permissions, allowing hackers to capture sensitive data. If the user complies, the app activates its malicious payload.
BingoMod operates covertly in the background, using keylogging and SMS interception to capture user credentials. Once the attackers gain control of the device, they initiate unauthorized money transfers.
The malware is equipped with features that enable overlay attacks and remote access to compromised devices using VNC-like functionality. After a successful fraudulent transfer, BingoMod typically wipes the infected device, removing any traces of its activity to hinder forensic investigations.
Cleafy's investigation revealed that BingoMod targets devices that use English, Romanian and Italian languages. The malware's code contains comments that suggest the developers could be Romanian speakers.
BingoMod is part of the modern generation of RATs for mobile devices that allow threat actors to conduct ATO directly from infected devices.
It also necessitates live operators to authorize money transfers, which limits the malware's scalability.
The malware establishes a socket-based connection with its command-and-control infrastructure to receive commands from the threat actors, enabling the threat actors to perform roughly 40 remote operations, including real-time screen control and screen navigation.
BingoMod can conduct phishing attacks through overlay attacks and fake notifications. These overlay attacks are initiated directly by the malware operator rather than being triggered when specific target apps are opened. BingoMod can also send SMS messages from the compromised device to spread the malware further.
BingoMod makes the process of editing system settings on the device harder in order to protect itself. It restricts the functionality of certain apps and may even uninstall other apps if needed.