Beware of BingoMod! This dangerous Android malware steals your money, wipes your phone, and takes control of your device. Learn how to protect yourself from this insidious threat. Stay safe online!
Computer security solutions provider Cleafy has discovered a devious remote access trojan (RAT) targeting Android users to steal sensitive information and funds through account takeover. The malware, dubbed BingoMod, performs overlay attacks and provides remote access via virtual network computing (VNC) like functionality.
This multi-feature trojan was discovered in May 2024. It can bypass authentication, verification, and behavioural detection protections by performing on-device fraud (ODF), as seen in several other banking trojans like Medusa, Copybara, and Teabot.
BingoMod operates under the guise of legitimate applications, often posing as mobile security tools like “APP Protection,” “AVG AntiVirus & Security,” or “WebSecurity,” to lure users into downloading/installing the malware on their devices.
According to Cleafy’s blog post, Once installed, BingoMod requests Accessibility Services permissions to execute the malicious payload. It aims to provide sensitive data to its operators through key-logging, which exploits Accessibility Services to steal login credentials or account balances, and SMS intercepting, which monitors SMS messages used by financial institutions for transaction authentication numbers (TANs). It also establishes a socket-based connection with the C2 for ODF.
The malware offers around 40 remote control functions, including real-time screen control through VNC-like routines and screen interaction. It uses Android’s Media Projection API to capture screenshots of the victim’s device screen, providing a comprehensive overview. Hackers can send arbitrary commands to affected devices, allowing them to attack banking apps and steal up to 15,000 euros per transaction.
The malware allows threat actors to send SMS messages from infected devices, potentially spreading the malware further. To prevent removal, users are prevented from editing system settings, blocking specific applications, and uninstalling applications.
To further cover its tracks, BingoMod employs code obfuscation techniques, making it difficult for security software to detect its presence. Some variants of the malware can wipe the device’s data through a factory reset to eliminate evidence of the theft, a tactic reminiscent of Brata malware but not directly connected.
BingoMod is currently targeting devices using English, Romanian, and Italian languages. Researchers believe that it is currently in the development phase and operators are experimenting with obfuscation techniques to lower detection rates against antivirus solutions.
We recommend taking a proactive approach to mobile security to prevent such threats. Always download apps cautiously, and pay close attention to app permissions, especially if they request access to features like Accessibility Services or screenshot capture. Use a reliable mobile security solution and regularly update your Android device and apps with the latest security patches.
