BingoMod Banking Trojan Could Infiltrate Android Devices to Steal Data
Cybersecurity experts have identified a new Android remote access trojan (RAT) named BingoMod. This sophisticated malware not only orchestrates fraudulent money transfers from compromised devices but also attempts to wipe them, erasing traces of its activities. Italian cybersecurity firm Cleafy, which discovered BingoMod in late May 2024, revealed that the malware is still under active development. The presence of Romanian language comments in the source code suggests a Romanian-speaking threat actor is behind it.
Table of Contents
Modern RAT Capabilities
BingoMod is a part of the modern RAT generation of mobile malware, with remote access capabilities that allow threat actors to conduct Account Takeover (ATO) directly from infected devices, employing the on-device fraud (ODF) technique. This technique has also been seen in other Android banking trojans such as Medusa (also known as TangleBot), Copybara, and TeaBot (also known as Anatsa).
Self-Destruction Mechanism
Much like the BRATA malware, BingoMod distinguishes itself with a self-destruction mechanism designed to hinder forensic analysis by wiping evidence of fraudulent transfers. Although this functionality currently targets only the device's external storage, there are suspicions that its remote access features could facilitate a complete factory reset.
Tactics and Techniques
The malware masquerades as antivirus tools or updates for Google Chrome and is often installed through smishing tactics, prompting users to grant it accessibility services permissions. Once granted, BingoMod executes its payload, locks the user out of the main screen, and exfiltrates device information to an attacker-controlled server. It also exploits the accessibility services API to steal sensitive information displayed on the screen, such as credentials and bank account balances, and intercepts SMS messages.
Real-Time Fraud Execution
To execute money transfers, BingoMod establishes a socket-based connection with its command-and-control (C2) infrastructure, receiving up to 40 commands remotely. These commands enable the malware to take screenshots using Android's Media Projection API and interact with the device in real-time. Unlike automated transfer systems (ATS) that conduct financial fraud at scale, the ODF technique used by BingoMod relies on a live operator to perform money transfers of up to €15,000 (~$16,100) per transaction.
Evasion Techniques and Phishing Capabilities
The threat actor behind BingoMod employs various evasion techniques, including code obfuscation and the ability to uninstall arbitrary apps from compromised devices, indicating a preference for simplicity over advanced features. Additionally, BingoMod demonstrates phishing capabilities through overlay attacks and fake notifications. Unlike traditional overlay attacks that are triggered when specific target apps are opened, BingoMod's overlay attacks are initiated directly by the malware operator.
In summary, BingoMod represents a significant evolution in Android RATs, combining advanced remote access capabilities with sophisticated evasion and self-destruction mechanisms. As cybersecurity researchers continue to monitor its development, it is crucial for users to remain vigilant and cautious, ensuring they only download apps from trusted sources and regularly update their device security settings to protect against such threats.
