Introduction
Alert Scam Warriors! Cybersecurity researchers have uncovered a new Android Banking Trojan named BingoMod. This sophisticated malware not only conducts fraudulent money transfers but also wipes compromised devices to erase traces of its activity. Here’s an in-depth look into BingoMod and its dangerous capabilities.
Discovery and Development
The trojan was discovered by the Italian cybersecurity firm Cleafy towards the end of May 2024. The researchers believe the malware is still under active development and have attributed it to a Romanian-speaking threat actor, based on Romanian language comments found in the source code of early versions.
BingoMod is part of the modern generation of mobile malware, characterized by its remote access capabilities that allow threat actors to take over accounts directly from infected devices, exploiting a technique known as on-device fraud (ODF). This method is also seen in other Android banking trojans like Medusa, Copybara, and TeaBot.
Self-Destruction Mechanism and Bypassing Antivirus Apps
Similar to the BRATA trojan, BingoMod employs a self-destruction mechanism designed to remove evidence of fraudulent activity from the infected device. This feature, currently limited to the device’s external storage, could potentially be used to initiate a complete factory reset, further hindering forensic analysis.
If all that wasn’t scary enough, BingoMod can also remove the best Android antivirus apps from an infected smartphone and block the activity of any apps specified by the hackers. This makes it extremely difficult for users to detect and remove the malware from their devices.
Smishing Tactics and App Masquerading
BingoMod spreads through smishing tactics, where malicious apps disguise themselves as antivirus tools or updates for popular software like Google Chrome. Once installed, these apps prompt users to grant accessibility service permissions, which are then exploited to execute the main payload, lock the user out, and collect sensitive device information. This data is exfiltrated to an attacker-controlled server.
The trojan abuses the accessibility services API to steal information displayed on the screen, such as credentials and bank account balances, and to intercept SMS messages. This allows the malware to execute various malicious actions undetected.
Remote Commands, Real-Time Control and Evasion
BingoMod establishes a socket-based connection with its command-and-control (C2) infrastructure, receiving up to 40 remote commands. These commands enable the malware to take screenshots using Android’s Media Projection API and interact with the device in real-time. This real-time control is crucial for performing fraudulent money transfers directly from the compromised device.
Unlike Automated Transfer Systems (ATS), which carry out financial fraud at scale, BingoMod relies on a live operator to execute these transfers. This operator can transfer up to €15,000 (~$16,100) per transaction, making the ODF technique particularly dangerous.
To avoid detection, BingoMod uses code-flattening and string obfuscation layers. Even the popular malware analyzation service VirusTotal couldn’t detect this new Android malware. This emphasis on simplicity over advanced features indicates that the malware authors prioritize staying under the radar while ensuring effective operation.
Phishing Capabilities and Deleting Evidences
The malware also includes phishing capabilities through Overlay Attacks and fake notifications. Interestingly, these overlay attacks are not triggered by specific target apps but are initiated directly by the malware operator, making them more unpredictable and harder to detect.
If BingoMod is registered on the device as a device admin app, a hacker can send a remote command to wipe its system. While Cleafy’s researchers note that this functionality is currently limited to external storage and only executed after a successful transfer, a complete wipe is possible. Hackers could use this ability to erase all of a device’s data and then reset the phone via system settings, leaving no trace of the malware behind.
Protecting Against BingoMod
Given the sophisticated nature of BingoMod, users must remain vigilant and take proactive steps to protect their devices:
- Avoid Clicking on Unknown Links: Be wary of links received via SMS, email, or other messaging platforms.
- Download Apps from Official Sources: Only download apps from reputable sources like the Google Play Store.
- Review App Permissions: Regularly check and manage app permissions, especially those requesting access to accessibility services.
- Use Security Software: Install reliable mobile security software to detect and prevent malware infections.
- Keep Software Updated: Ensure your device’s operating system and all installed apps are up to date with the latest security patches.
Conclusion
The emergence of BingoMod highlights the ever-evolving threat landscape of mobile malware. Its advanced capabilities, including remote access, real-time control, and self-destruction mechanisms, make it a significant threat to Android users. Staying informed and adopting robust security practices is essential to safeguarding against such sophisticated attacks.
