Beware Of New BingoMod Android Malware Steals Money & Formats Device


The wide use and the huge user base of Android often lucrative the threat actors. 

As threat actors often use Android malware to exploit vulnerabilities in the Android operating system. 

This enables them to perform several illicit activities like stealing sensitive information, tracking user activity, and gaining unauthorized access to devices.

Cleafy researchers recently detected a brand new Android Remote Access Trojan (RAT) at the end of May 2024, named “BingoMod.”

BingoMod Android Malware

This malware enables account takeover through on-device fraud techniques, similar to trojans like Medusa and Teabot. 

One of the key features of BingoMod is that it can wipe devices after fraudulent activities have taken place just like Brata, consequently making forensic analysis difficult.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

It is still at that stage when there are only a few samples, but it already uses obfuscation, suggesting an opportunistic behavior rather than targeting specific companies.

BingoMod represents the increasing tendency among mobile malware to be more versatile and evasive rather than specialized attacks.

Besides this, BingoMod is disguised as a security tool and exploits Accessibility Services to activate its malicious functions.

It uses keylogging and SMS interception to seize sensitive material while establishing dual-channel communication with command and control (C2) infrastructure.

C2 communication scheme during VNC routine (Source – Cleafy)

By leveraging Android Media Projection API plus Accessibility Services, this malware makes use of VNC-like routines and screen interaction for advanced remote control.

This enables threat actors to manipulate the infected device directly to carry out “On Device Fraud.”

BingoMod’s weaponry also includes phishing capacity through overlay attacks and fake notifications, SMS-based self-propagation, and robust security measures.

Starting phase of BingoMod (Source – Cleafy)

These security measures include blocking particular applications, locking down system settings, and wiping external storage remotely after fraud has occurred. All these measures significantly increase its ability to detect evasion.

BingoMod’s development orbit has gone through a stage of experimentation that focused on obfuscation techniques rather than advancing functionality.

Reviewing code versions reveals small changes in structure but devoted efforts have been put into code-flattening and string obfuscation, which have significantly decreased the antivirus detection rates.

The malware’s codebase is composed of English, Romanian, and Italian languages with various typos and debugging artifacts, suggesting ongoing development by a potentially diverse team.

Suspicious upload of BingoMod from Romanian country (Source – Cleafy)

Incorporating common RAT features like HiddenVNC, SMS manipulation, and keylogging, BingoMod doesn’t possess advanced elements like Automatic Transfer Systems.

Its post-fraud device-wiping capability, similar to Brata malware, serves as a simple exit strategy, reads the report.

This approach repeats well with the current mobile banking Trojan landscape that highlights On-Device Fraud through Account Takeover instead of complex automation calling for direct device access manipulation.

However, this hands-on approach is not scalable and may expose the operators to greater detection risks.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide



Source link