A fresh Android remote access trojan (RAT) named BingoMod has been uncovered by cybersecurity experts. This RAT not only engages in unauthorized money transfers from the infected devices but also erases them to conceal the traces of the malicious software.
Discovered by Italian cybersecurity company Cleafy towards the conclusion of May 2024, this malware is actively evolving. The firm linked the Android trojan to a probable Romanian-speaking threat actor based on Romanian language comments in the source code of early versions.
“BingoMod is part of the new RAT category of mobile malware that allows threat actors (TAs) to execute Account Takeover (ATO) directly from the compromised device, exploiting the on-device fraud (ODF) methodology,” mentioned researchers Alessandro Strino and Simone Mattia stated.
It’s important to note that similar techniques have been detected in other Android banking trojans such as Medusa (also known as TangleBot), Copybara, and TeaBot (alternatively Anatsa).
Similar to BRATA, BingoMod also distinguishes itself by utilizing a self-destruct mechanism intended to eliminate any proof of the fraudulent transfer on the infected device to impede forensic investigation. Although this mechanism is confined to the external storage of the device, there is suspicion that the remote access capabilities could be employed to trigger a complete factory reset.
Some of the bogus applications pretend to be antivirus utilities or a Google Chrome update. Once these apps are installed, they request accessibility service permissions from the user to carry out malicious activities.
These activities include triggering the primary payload, locking the user out from the main screen to harvest device details that are then sent to a server controlled by the attacker. The malware also exploits the accessibility services API to pilfer sensitive information like credentials and bank balances displayed on the screen and to authorize itself to intercept SMS messages.
To initiate fund transfers directly from the infiltrated devices, BingoMod establishes a socket-based connection with the command-and-control infrastructure (C2) to receive up to 40 remote commands to capture screenshots using Android’s Media Projection API and engage with the device interactively.
This indicates that the on-device fraud (ODF) approach banks on a live operator to execute money transfers of up to €15,000 (~$16,100) per transaction instead of employing an Automated Transfer System (ATS) for mass financial fraud.
Another significant aspect is the emphasis of the threat actor on avoiding detection through code obfuscation techniques and the ability to uninstall any applications from the compromised device at will, suggesting that the malware creators prioritize simplicity over advanced functionalities.
“In addition to real-time screen control, the malware exhibits phishing capabilities using Overlay Attacks and counterfeit notifications,” the researchers mentioned. “Interestingly, overlay attacks are not triggered upon opening specific target apps but are initiated directly by the malware operator.”
About Author
